[squid-users] RFC2616 headers in bumped requests

Amos Jeffries squid3 at treenet.co.nz
Mon Nov 17 22:05:05 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 17/11/2014 11:25 p.m., Steve Hill wrote:
> On 04/11/14 13:59, Amos Jeffries wrote:
> 
>>> I've just come across a web server that throws its toys out of
>>> the pram when it sees a Via header in an HTTPS request, and 
>>> unfortunately it's quite a big one - Yahoo.  See this request:
>> 
>>> ----- GET /news/degrees-lead-best-paid-careers-141513989.html 
>>> HTTP/1.1 Host: uk.finance.yahoo.com Via: 1.1
>> 
>> That is unfortunately an invalid HTTP Via header. It is mandatory
>> to contain the host field even if it contains a host alias for
>> the real FQDN. If that is what is actually being transfered the
>> server is right in complaining.
> 
> It looks like I copied and pasted this wrong in my original email,
> I have just retested and squid sends: Via: 1.1 iceni2.opendium.net
> (squid/3.4.9)
> 
>>> For now I have worked around it with: request_header_access
>>> Via deny https request_header_access X-Forwarded-For deny https
>>> But it does make me wonder if inserting the headers into bumped
>>> traffic is a sensible thing to do.
>> 
>> If you can please chek that Via header being emitted by your
>> Squid when things break. And also whether your Squid is
>> contacting their server on an HTTPS or HTTP port. If your Squid
>> is contacting their HTTP port for un-encrypted traffic this
>> redirect is competely expected.
> 
> This is definitely occurring when contacting the server on HTTPS
> with a valid Via header:
> 

Would you mind running an experiment for me?

To see what happens if Squid delivers either of these Via headers
instead of its current output:

  Via: HTTPS/1.1 iceni2.opendium.net (squid/3.4.9)

  Via: TLS/1.2 iceni2.opendium.net (squid/3.4.9)

Setting it with request_header_access/replace should do.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUanERAAoJELJo5wb/XPRjbX0IAIsacfWnhx0zsP8AIzjXFvIr
bg1c19Hbgk2OmcxpBMA3b5cWggqPnZskUkQ/SLZphjt9z/tIbMa5Mgl0Ih7vTg5X
Z9GhX+gf3YoM2WLMymWnvzCRzQ6NwZKs856TFWYtM0gV8HPRFlVyGBp8cxya4yYh
rdGcp++yAC2LmvIGmELnQtXf74XyaIBw+exWwXCokHPh3MTD1CmsrD8rm1WJ2tBC
JnTxT5p8QL2NcuCAQqw9uZuckG9aVUsAOOdxSO8l7rkcQnuRJZKm3ZO7y4/kYrcU
XO1riDW0Ow0Xx0HAF/HMkz+pux2sPVvMeDa3JSP07sIVrcc8eaISZPXaC3n8FBQ=
=Xwwe
-----END PGP SIGNATURE-----

More information about the squid-users mailing list