[squid-users] Useragent request/reply headers with squid .
Amos Jeffries
squid3 at treenet.co.nz
Sat Jun 15 09:37:17 UTC 2019
On 15/06/19 8:57 pm, --Ahmad-- wrote:
> Hello Folks ,
>
> im trying to disable user agent info to be leaked out of squid using :
>
> request_header_access User-Agent deny all
> reply _header_access User-Agent deny all
>
> squid very 3.5.x
>
>
> but when i test sending the user agent info via curl info it seems squid
> is not removing it and passing it to the server
>
> curl -x x.x.x.x:19000 -U pass:pass -X POST
> https://uploadbeta.com/api/parse-user-agent/ -d
> "s=nUser-Agent:%20Mozilla/4.0%20(compatible;%20MSIE%207.0;%20linux%20NT%206.1)”
>
> result ——>>>>>>>>> {"platform":"linux","browser":"MSIE","version":"7.0”}
>
>
> as you see above i tried with squid to disable useragent , but in curl
> it seems squid leaked it
>
> any idea why squid leaking useragent ?
Besides what the others have already pointed out; you are also sending a
U-A string as message data. Not in a header.
So there is no way to tell from your test:
* whether the HTTP message available to Squid has a U-A header at all, and
* whether the header is in a form Squid has access to remove
(decrypted), and
* whether the form processor is using the form data or the MIME data
(header)
In short. This test is so incorrect as to not produce even useful side
effects.
I suggest you use cache.log and "debug_options 11,2" to see what
messages and headers are entering and leaving Squid.
Amos
More information about the squid-users
mailing list