[squid-users] Spdy header and related

[Amos Jeffries]

On 4/08/2016 12:34 a.m., joe wrote:
> is it ok to drop X-Firefox-Spdy
> reply_header_access X-Firefox-Spdy deny all
> just alow http/1

"just allow http/1" is not what the above does. It simply denies the
client being informed about that header existing.

> and if yes how chrome use Spdy in header to drop it 
> dose it heart the clients app or browsig ??

Yes it is okay to drop that and any other X-* header. They are by
definition experimental and already deprecated. That includes the ones
generated by Squid itself.

SPDY itself as a protocol is destined to be killed off rather soon.
IIRC, by the end of this year. It has been superceeded by HTTP/2 which
Squid does not yet support (but I'm working on it).


> im droping those as well so fare so good no complain
> 
> reply_header_access Strict-Transport-Security deny all
> reply_header_replace Strict-Transport-Security max-age=0; includeSubDomains
> reply_header_access Alternate-Protocol deny all 
> reply_header_access alternate-protocol deny all 
> reply_header_access Alt-Svc deny all
> reply_header_access alt-svc deny all
> if there is any other headers to drop pls help tks


What is your goal?

If it is to encourage use of protocols that Squid supports, then AFAIK
those are the headers to alter. However, there are details ...

* replacing (or removing) Strict-Transport-Security is only good for
people performing transparent interception of port 443. And is only
useful for domains which have "pinned" certificates. Other domains can
be bumped despite HSTS being used.

* Alternate-Protocol is a header with behaviour that should have been
defined as hop-by-hop. Recent Squid versions strip it by default. You
don't have to do anything.

* Alt-Svc is a tricky situation. The information in it can be useful to
Squid to let the client know, even when intercepting traffic. It is an
OPTIONAL header though, so stripping it away is harmless and has some gain.

Amos