[squid-users] RFC2616 headers in bumped requests

Steve Hill steve at opendium.com
Mon Nov 17 10:25:47 UTC 2014


On 04/11/14 13:59, Amos Jeffries wrote:

>> I've just come across a web server that throws its toys out of the
>> pram when it sees a Via header in an HTTPS request, and
>> unfortunately it's quite a big one - Yahoo.  See this request:
> 
>> ----- GET /news/degrees-lead-best-paid-careers-141513989.html
>> HTTP/1.1 Host: uk.finance.yahoo.com Via: 1.1
> 
> That is unfortunately an invalid HTTP Via header. It is mandatory to
> contain the host field even if it contains a host alias for the real
> FQDN. If that is what is actually being transfered the server is right
> in complaining.

It looks like I copied and pasted this wrong in my original email, I
have just retested and squid sends:
  Via: 1.1 iceni2.opendium.net (squid/3.4.9)

>> For now I have worked around it with: request_header_access Via
>> deny https request_header_access X-Forwarded-For deny https But it
>> does make me wonder if inserting the headers into bumped traffic is
>> a sensible thing to do.
> 
> If you can please chek that Via header being emitted by your Squid
> when things break. And also whether your Squid is contacting their
> server on an HTTPS or HTTP port.
>  If your Squid is contacting their HTTP port for un-encrypted traffic
> this redirect is competely expected.

This is definitely occurring when contacting the server on HTTPS with a
valid Via header:

$ openssl s_client -connect uk.finance.yahoo.com:443 -servername
uk.finance.yahoo.com
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
"(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class
3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class
3 Secure Server CA - G3
verify return:1
depth=0 C = US, ST = California, L = Sunnyvale, O = Yahoo Inc., CN =
www.yahoo.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./CN=www.yahoo.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
---
[certificate removed]
---
GET /news/degrees-lead-best-paid-careers-141513989.html HTTP/1.1
Host: uk.finance.yahoo.com
Via: 1.1 iceni2.opendium.net (squid/3.4.9)

HTTP/1.1 301 Moved Permanently
Date: Mon, 17 Nov 2014 10:20:57 GMT
Via: http/1.1 yts272.global.media.ir2.yahoo.com (ApacheTrafficServer [c
s f ]), http/1.1 r15.ycpi.dee.yahoo.net (ApacheTrafficServer [cMsSfW])
Server: ATS
Strict-Transport-Security: max-age=172800
Location:
https://uk.finance.yahoo.com/news/degrees-lead-best-paid-careers-141513989.html
Content-Length: 0
Age: 0
Connection: keep-alive

-- 

 - Steve

-- 

 - Steve Hill
   Technical Director
   Opendium Limited     http://www.opendium.com

Direct contacts:
   Instant messager: xmpp:steve at opendium.com
   Email:            steve at opendium.com
   Phone:            sip:steve at opendium.com

Sales / enquiries contacts:
   Email:            sales at opendium.com
   Phone:            +44-1792-825748 / sip:sales at opendium.com

Support contacts:
   Email:            support at opendium.com
   Phone:            +44-1792-824568 / sip:support at opendium.com


More information about the squid-users mailing list