On Thu, May 14, 2009 at 21:56, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> Kurt Buff wrote:
>>
>> On Wed, May 13, 2009 at 18:18, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>>>
>>>> On Tue, May 12, 2009 at 17:09, Chris Robertson <crobertson_at_gci.net>
>>>> wrote:
>>>>>
>>>>> Kurt Buff wrote:
>>>>>>
>>>>>> All,
>>>>>>
>>>>>> My user population is having frequent problems fetching PDFs through
>>>>>> our squid proxy, and I think I've narrowed down the issue, though I'm
>>>>>> not 100% certain of it.
>>>>>>
>>>>>> I see two deny messages from our Sidewinder firewall, that are
>>>>>> associated with the URLs regarding request headers for the PDFs:
>>>>>>
>>>>>> Â Â "Request denied with request header Unless-Modified-Since."
>>>>>>
>>>>>> and
>>>>>>
>>>>>> Â Â "Request denied with request header Translate."
>>>>>>
>>>>>> Is there a way to cause squid to ignore these request headers from the
>>>>>> browsers,
>>>>>
>>>>> http://www.squid-cache.org/Doc/config/header_access/
>>>>>
>>>>>> Â or to replace them with something benign?
>>>>>
>>>>> http://www.squid-cache.org/Doc/config/header_replace/
>>>>>
>>>>>> Â Is it reasonable
>>>>>> to do so, or will that just cause further issues?
>>>>>>
>>>>> There, I can't help. Â I'd suggest contacting support for the Firewall,
>>>>> and
>>>>> get the problem solved (or at least identified) there.
>>>>>
>>>>>> Any help and thoughts appreciated.
>>>>>>
>>>>>> Kurt
>>>>>>
>>>>>
>>>>> Chris
>>>>
>>>> Unfortunately, adding the two directives:
>>>>
>>>> header_access Unless-Modified-Since deny all
>>>> header_access Translate deny all
>>>>
>>>> Generates the following errors at start and stop of squid:
>>>>
>>>> 2009/05/13 11:42:57| cache_cf.cc(346) squid.conf:40 unrecognized:
>>>> 'header_access'
>>>> 2009/05/13 11:42:57| cache_cf.cc(346) squid.conf:41 unrecognized:
>>>> 'header_access
>>>>
>>>> Under FreeBSD, a 'make config' shows that SQUID_STRICT_HTTP is
>>>> deselected. From my reading of the make file, this means that the
>>>> directive --disable-http-violations is not in effect.
>>>>
>>>> Will I have to recompile with --enable-http-violations to be able to
>>>> use these directives?
>>>>
>>>> Kurt
>>>>
>>> Yes.
>>>
>>> Amos
>>
>> I came to that conclusion on my own, and did recompile with that
>> option ('make --enable-http-violations' then 'make install', and it
>> went without error) but it didn't help, as I'm getting the same error
>> message.
>>
>> I'm sure I'm missing something, but need a clue...
>>
>> Kurt
>
> Just done a quick check of the code and it looks like those two particular
> headers are not in the 'standard' set known to squid.
>
> From the descriptions I can find about the header I thunk we should be
> adding it as known and allowing some security controls over it.
>
> Patch coming. What release of Squid are you using?
squid-3.0.15 is what I show.
Thanks for the help - I await news.
Kurt
Received on Fri May 15 2009 - 17:38:10 MDT
This archive was generated by hypermail 2.2.0 : Sun May 17 2009 - 12:00:01 MDT