[squid-dev] Digest related question.
Henrik Nordström
henrik at henriknordstrom.net
Wed Mar 18 08:23:57 UTC 2015
mån 2015-03-16 klockan 04:03 +0200 skrev Eliezer Croitoru:
> My main concern until now is that if squid would have the cached object
> in a digest url form such as:
> http://digest.squid.internal/MD5/xyz123"
>
> Squid would in many cases try to verify against the origin server that
> the cached object has the same ETAG and MODIFICATION time.
The Digest alone is only on the body, and says nothing about header
authority. You need to get trusted object headers from somewhere else,
i.e. the requested origin. Once you have the authoritative headers you
can splice in the digest verified response body.
This is in some sense similar to the header merging needed in ETag based
variant handling on a single URL, but even more so as you must not take
headers from one random URL and apply them to another requested URL
without permission unless the requested URL permits this. Violating
this opens a range of security concerns where headers may be injected
giving a different result than intended by the origin.
Regards
Henrik
More information about the squid-dev
mailing list