[squid-users] RFC2616 headers in bumped requests
Steve Hill
steve at opendium.com
Tue Nov 4 10:17:58 UTC 2014
Squid (correctly) inserts Via and X-Forwarded-For headers into requests
that it is proxying. However, in the case of encrypted traffic, the
server and client are expecting the traffic to reach the other end
as-is, since usually this could not be intercepted. With SSL bumped
requests this is no longer true - the proxy can (and does) modify the
traffic, by inserting these headers.
So I'm asking the question: is this behavior considered desirable, or
should we be attempting to modify the request as little as possible for
compatibility reasons?
I've just come across a web server that throws its toys out of the pram
when it sees a Via header in an HTTPS request, and unfortunately it's
quite a big one - Yahoo. See this request:
-----
GET /news/degrees-lead-best-paid-careers-141513989.html HTTP/1.1
Host: uk.finance.yahoo.com
Via: 1.1
HTTP/1.1 301 Moved Permanently
Date: Tue, 04 Nov 2014 09:55:40 GMT
Via: http/1.1 yts212.global.media.ir2.yahoo.com (ApacheTrafficServer [c
s f ]), http/1.1 r04.ycpi.ams.yahoo.net (ApacheTrafficServer [cMsSfW])
Server: ATS
Strict-Transport-Security: max-age=172800
Location:
https://uk.finance.yahoo.com/news/degrees-lead-best-paid-careers-141513989.html
Content-Length: 0
Age: 0
Connection: keep-alive
-----
Compare to:
-----
GET /news/degrees-lead-best-paid-careers-141513989.html HTTP/1.1
Host: uk.finance.yahoo.com
HTTP/1.1 200 OK
...
-----
Note that the 301 that they return when a Via header is present just
points back at the same URI, so the client never gets the object it
requested.
For now I have worked around it with:
request_header_access Via deny https
request_header_access X-Forwarded-For deny https
But it does make me wonder if inserting the headers into bumped traffic
is a sensible thing to do.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:steve at opendium.com
Email: steve at opendium.com
Phone: sip:steve at opendium.com
Sales / enquiries contacts:
Email: sales at opendium.com
Phone: +44-1792-825748 / sip:sales at opendium.com
Support contacts:
Email: support at opendium.com
Phone: +44-1792-824568 / sip:support at opendium.com
More information about the squid-users
mailing list