[squid-users] hide squid name for clients

Amos Jeffries squid3 at treenet.co.nz
Wed Apr 10 06:11:41 UTC 2019


On 10/04/19 1:40 am, leomessi983 wrote:
> Hi
> When i use curl -I http://foo.com squid will send his name and version
> to clients that i don't want to!!
> 
> 
> root at debian:~# curl  -I http://youtube.com
> HTTP/1.1 403 Forbidden
> Server: squid/4.6
> Mime-Version: 1.0
> Date: Tue, 09 Apr 2019 13:34:36 GMT
> Content-Type: text/html;charset=utf-8
> Content-Length: 404
> X-Squid-Error: ERR_ACCESS_DENIED 0
> Vary: Accept-Language
> Content-Language: en
> X-Cache: MISS from LINUX-SRV
> Via: 1.1  LINUX-SRV (squid/4.6)
> Connection: keep-alive
> 
> 
> How can i config squid to doesn't show this information to clients?!
> 


Why? Many of these details are needed to have good Internet
communication between the proxy and other HTTP agents receiving this
message.


For example; The above response is a statement of security policy *by
the proxy*. If the client is not made aware that it is a proxy response
there can be unwanted side effects in the security handling of whatever
domain the client was trying to fetch when the proxy created that
response. eg CORS restrictions on other content of the site which the
proxy would have allowed, failover to unexpected protocols, broken
origin XSS protections, etc.


You can configure
<http://www.squid-cache.org/Doc/config/httpd_suppress_version_string/>
if you want to hide the exact Squid version.

Other headers can be manipulated with
<http://www.squid-cache.org/Doc/config/reply_header_access/> and
<http://www.squid-cache.org/Doc/config/reply_header_replace/>, or
<http://www.squid-cache.org/Doc/config/reply_header_add/>. But please be
very careful if you do that, as mentioned above there can be surprising
side effects.


PS. Do not be embarrassed to be using a proxy. Most traffic on the
Internet these days goes through up to 6 proxies before it reaches the
client.

Amos


More information about the squid-users mailing list