[squid-users] RFC2616 headers in bumped requests
Steve Hill
steve at opendium.com
Mon Nov 17 10:25:47 UTC 2014
On 04/11/14 13:59, Amos Jeffries wrote:
>> I've just come across a web server that throws its toys out of the
>> pram when it sees a Via header in an HTTPS request, and
>> unfortunately it's quite a big one - Yahoo. See this request:
>
>> ----- GET /news/degrees-lead-best-paid-careers-141513989.html
>> HTTP/1.1 Host: uk.finance.yahoo.com Via: 1.1
>
> That is unfortunately an invalid HTTP Via header. It is mandatory to
> contain the host field even if it contains a host alias for the real
> FQDN. If that is what is actually being transfered the server is right
> in complaining.
It looks like I copied and pasted this wrong in my original email, I
have just retested and squid sends:
Via: 1.1 iceni2.opendium.net (squid/3.4.9)
>> For now I have worked around it with: request_header_access Via
>> deny https request_header_access X-Forwarded-For deny https But it
>> does make me wonder if inserting the headers into bumped traffic is
>> a sensible thing to do.
>
> If you can please chek that Via header being emitted by your Squid
> when things break. And also whether your Squid is contacting their
> server on an HTTPS or HTTP port.
> If your Squid is contacting their HTTP port for un-encrypted traffic
> this redirect is competely expected.
This is definitely occurring when contacting the server on HTTPS with a
valid Via header:
$ openssl s_client -connect uk.finance.yahoo.com:443 -servername
uk.finance.yahoo.com
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
"(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class
3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class
3 Secure Server CA - G3
verify return:1
depth=0 C = US, ST = California, L = Sunnyvale, O = Yahoo Inc., CN =
www.yahoo.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./CN=www.yahoo.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
---
[certificate removed]
---
GET /news/degrees-lead-best-paid-careers-141513989.html HTTP/1.1
Host: uk.finance.yahoo.com
Via: 1.1 iceni2.opendium.net (squid/3.4.9)
HTTP/1.1 301 Moved Permanently
Date: Mon, 17 Nov 2014 10:20:57 GMT
Via: http/1.1 yts272.global.media.ir2.yahoo.com (ApacheTrafficServer [c
s f ]), http/1.1 r15.ycpi.dee.yahoo.net (ApacheTrafficServer [cMsSfW])
Server: ATS
Strict-Transport-Security: max-age=172800
Location:
https://uk.finance.yahoo.com/news/degrees-lead-best-paid-careers-141513989.html
Content-Length: 0
Age: 0
Connection: keep-alive
--
- Steve
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:steve at opendium.com
Email: steve at opendium.com
Phone: sip:steve at opendium.com
Sales / enquiries contacts:
Email: sales at opendium.com
Phone: +44-1792-825748 / sip:sales at opendium.com
Support contacts:
Email: support at opendium.com
Phone: +44-1792-824568 / sip:support at opendium.com
More information about the squid-users
mailing list