RE: [SQU] Hiding the name and version of squid in the error message

From: Hamid Hashemi Golpayegani <>
Date: Tue, 6 Mar 2001 00:01:18 +0330

I want to prevent from this message at the bottom of the page that is not
contain in /etc/squid/erros document . like this :

Generated Mon, 05 Mar 2001 20:29:08 GMT by
I don't want to any one know my hostname .

   /  Seyyed Hamid Reza    /        WINDOWS FOR NOW  !!            /
  /  Hashemi Golpayegani  /  Linux for future , FreeBSD for ever  /
 /    Morva System Co.   / ------------------------------------- /
/  Network Administrator/   ,   ICQ# : 42209876 /
-----Original Message-----
From: Bruno Guerreiro []
Sent: Monday, March 05, 2001 11:10 PM
To: 'Joe Erlewein'
Subject: RE: [SQU] Hiding the name and version of squid in the error message
I don't know if you can disable the %s in the error pages but a simple
telnet to the Squid port will also give the information that you want to
telnet 80
HTTP/1.0 400 Bad Request
Server: Squid/2.3.STABLE4
Mime-Version: 1.0
Date: Mon, 05 Mar 2001 19:33:46 GMT
Content-Type: text/html
Content-Length: 824
Expires: Mon, 05 Mar 2001 19:33:46 GMT
X-Squid-Error: ERR_INVALID_REQ 0
As far as I can tell Netscape-Proxy and MSProxy also disclose their names
and versions.
Bruno Guerreiro
-----Original Message-----
From: Joe Erlewein []
Sent: Segunda-feira, 5 de Março de 2001 18:21
Subject: Re: [SQU] Hiding the name and version of squid in the error
In the professional environment I intend to implement this cache solution,
this is very unacceptable.
Linux has been a long-outlawed OS here, and with this recent opportunity to
use something like it,
My objective it so make it as bulletproof as possible. In order to do this,
I need to be sure that the system CANNOT be identified to outside (or
inside) users/hacks.
Thus, the proposed hiding of the cache name / version appears good, but
anyone can click "view source" and have a field day.
Is there a way to reassign the value reported by %s,  or is there a way
(possibly recompiling?)  to disale the addition of %s if it is undefined?
ie: stop the default signature from being added.
I'd hate to leave an open invitiation to the possibility of compromise, and
am actually considering scrapping squid altogether for something commercial
based on this one fatal flaw.
I'm hoping for a workaround, as personally I'd rather use Linux/Squid, but
professionally I'm simply not willing to take the risk...
Joseph R. Erlewein, N8OUZ
Intern, Networking
Munson Healthcare
>>> Henrik Nordstrom <> 2/14/2001 3:55:20 PM >>>
You cannot completely hide it, but you can put it inside a HTML comment
making it less obvious to the user..
Exampel custom signature: (add it to the end of each error page)
<br clear="all">
<hr noshade size=1>
Generated %T
<!-- %h (%s) -->
Unless the error page includes "%s" (Squid name and version) the default
signature will be added.
Note: If you prefer to have the datestamps using your local timezone,
then use %t instead of %T above.
Henrik Nordstrom
Squid hacker
Kareem Mahgoub wrote:
> Hi all
> I would like to know if there is a way to hide the version and the name of
> squid, on all error messages.
> I have checked in the FAQ and I found how to change all the parameters but
> not the name and the version that appears in the last line of the error
> message.
> Any help would be appreciated.
> Regards,
> Kareem Mahgoub
> --
> To unsubscribe, see
To unsubscribe, see
To unsubscribe, see
To unsubscribe, see
To unsubscribe, see
Received on Mon Mar 05 2001 - 13:33:57 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:32 MST