[squid-users] Access-Control-* headers missing when going through squid
Amos Jeffries
squid3 at treenet.co.nz
Wed Apr 19 04:41:08 UTC 2017
On 19/04/17 13:12, Dan Charlesworth wrote:
> Hi everyone,
>
> This is a super weird one!
>
> This Pressreader site (http://sheppartonnews.pressreader.com/shepparton-news) gets a totally different (erroneous) response from the server when accessing it through squid on a particular school's network.
>
> It doesn’t happen through any other squid box on any other network I’ve tried, yet at this site you bypass squid through the same gateway and its fine; you use squid and it fails.
>
> The only errors I can see in the browser (that happen when it fails) are CORS errors on several of the requests. Comparing the headers it looks like the erroneous requests lack these from the response:
>
> Access-Control-Allow-Credentials: true
> Access-Control-Allow-Origin: http://sheppartonnews.pressreader.com
> Access-Control-Expose-Headers: ndstate,X-PD-AProfile,X-PD-Profile,X-PD-Ticket,X-PD-Auth,X-PD-PAuth,X-PD-Token
>
> No, the squid config we’re using never touches headers. Every HTTP/S request from the client is being allowed and is a 200/304 in both situations.
>
> (see attached for the full request response headers)
>
> Make any sense to anyone?
Squid does not touch these headers itself unless you configure it to. So
something there is altering them. It may be external MITM stuff, or
Squid coping with broken input.
Try adding "debug_options 11,2" to see what is actually arriving and
leaving that proxy.
Amos
More information about the squid-users
mailing list