Re: Squid not sending User-Agent: with CONNECT requests

[The original message had somewhat odd headers and my reply didn't get copied
to squid-users, hence this copy. Already sent to the people named in the
original message's headers.]

Martin Ibert wrote:
>
> Due to considerations I can neither understand nor subscribe to, we
> cannot get out into the Internet with any old client program. The client
> program must provide a User-Agent: header with every request, and the
> value of that header is matched against a regular expression, and if it
> does not match, access is denied.
>
> With normal GET requests, everything works smoothly (as my client
> program indeed reports the correct User-Agent:). But as soon as I troy
> to CONNECT to a secure HTTP server, squid appears not to send an
> User-Agent: header at all! People who can access the central proxy
> directly do not have this problem.
>
> I know that I can make squid report any User-Agent: string that I want.
> But will that solve the problem, since squid does not seem to provide
> _any_ User-Agent: at all, although the client sent one with the request?

I may be missing something, but here's my attempt at explaining what's
happening. In brief, with a secure connection, the data will be encrypted
so neither proxy can understand or modify the data-stream...

The secure HTTP connection is encrypted end-to-end. Only the browser and the
remote secure server can understand the data-stream and anyone in the middle
cannot (if the encryption is working :-) see the content or modify it. Hence,
all squid or any other proxy can do is pass on the data as received. Any
special HTTP headers that may be required can only be added by the browser,
but that does not help anyway since the central proxy cannot see the headers
because of the encryption.

What I don't understand is why people connecting directly to the central proxy
don't have the same problem (it can't interpret the content of their secure
connections either) unless their right to use the central proxy is established
in some other way (e.g. by their hostname/IP address, since the central proxy
can see which system is connecting) rather than via the User-Agent header.

                                John Line

-- 
University of Cambridge WWW manager account (usually John Line)
Send general WWW-related enquiries to webmaster@ucs.cam.ac.uk