[squid-dev] Digest related question.

Jack Bates 596wuk at nottheoilrig.com
Thu Mar 19 16:59:30 UTC 2015


On 18/03/15 01:23 AM, Henrik Nordström wrote:
> mån 2015-03-16 klockan 04:03 +0200 skrev Eliezer Croitoru:
>> My main concern until now is that if squid would have the cached object
>> in a digest url form such as:
>> http://digest.squid.internal/MD5/xyz123"
>>
>> Squid would in many cases try to verify against the origin server that
>> the cached object has the same ETAG and MODIFICATION time.
>
> The Digest alone is only on the body, and says nothing about header
> authority. You need to get trusted object headers from somewhere else,
> i.e. the requested origin. Once you have the authoritative headers you
> can splice in the digest verified response body.
>
> This is in some sense similar to the header merging needed in ETag based
> variant handling on a single URL, but even more so as you must not take
> headers from one random URL and apply them to another requested URL
> without permission unless the requested URL permits this.  Violating
> this opens a range of security concerns where headers may be injected
> giving a different result than intended by the origin.

Here is what the Traffic Server plugin currently does:
http://nottheoilrig.com/trafficserver/untitled.pdf

I understand you are talking about something different,
can you point out the differences from what the plugin does,
to help me understand why header splicing is necessary?


More information about the squid-dev mailing list