Kurt Buff wrote:
> On Thu, May 14, 2009 at 21:56, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> Kurt Buff wrote:
>>> On Wed, May 13, 2009 at 18:18, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>>>> On Tue, May 12, 2009 at 17:09, Chris Robertson <crobertson_at_gci.net>
>>>>> wrote:
>>>>>> Kurt Buff wrote:
>>>>>>> All,
>>>>>>>
>>>>>>> My user population is having frequent problems fetching PDFs through
>>>>>>> our squid proxy, and I think I've narrowed down the issue, though I'm
>>>>>>> not 100% certain of it.
>>>>>>>
>>>>>>> I see two deny messages from our Sidewinder firewall, that are
>>>>>>> associated with the URLs regarding request headers for the PDFs:
>>>>>>>
>>>>>>> Â Â "Request denied with request header Unless-Modified-Since."
>>>>>>>
>>>>>>> and
>>>>>>>
>>>>>>> Â Â "Request denied with request header Translate."
>>>>>>>
>>>>>>> Is there a way to cause squid to ignore these request headers from the
>>>>>>> browsers,
>>>>>> http://www.squid-cache.org/Doc/config/header_access/
>>>>>>
>>>>>>> Â or to replace them with something benign?
>>>>>> http://www.squid-cache.org/Doc/config/header_replace/
>>>>>>
>>>>>>> Â Is it reasonable
>>>>>>> to do so, or will that just cause further issues?
>>>>>>>
>>>>>> There, I can't help. Â I'd suggest contacting support for the Firewall,
>>>>>> and
>>>>>> get the problem solved (or at least identified) there.
>>>>>>
>>>>>>> Any help and thoughts appreciated.
>>>>>>>
>>>>>>> Kurt
>>>>>>>
>>>>>> Chris
>>>>> Unfortunately, adding the two directives:
>>>>>
>>>>> header_access Unless-Modified-Since deny all
>>>>> header_access Translate deny all
>>>>>
>>>>> Generates the following errors at start and stop of squid:
>>>>>
>>>>> 2009/05/13 11:42:57| cache_cf.cc(346) squid.conf:40 unrecognized:
>>>>> 'header_access'
>>>>> 2009/05/13 11:42:57| cache_cf.cc(346) squid.conf:41 unrecognized:
>>>>> 'header_access
>>>>>
>>>>> Under FreeBSD, a 'make config' shows that SQUID_STRICT_HTTP is
>>>>> deselected. From my reading of the make file, this means that the
>>>>> directive --disable-http-violations is not in effect.
>>>>>
>>>>> Will I have to recompile with --enable-http-violations to be able to
>>>>> use these directives?
>>>>>
>>>>> Kurt
>>>>>
>>>> Yes.
>>>>
>>>> Amos
>>> I came to that conclusion on my own, and did recompile with that
>>> option ('make --enable-http-violations' then 'make install', and it
>>> went without error) but it didn't help, as I'm getting the same error
>>> message.
>>>
>>> I'm sure I'm missing something, but need a clue...
>>>
>>> Kurt
>> Just done a quick check of the code and it looks like those two particular
>> headers are not in the 'standard' set known to squid.
>>
>> From the descriptions I can find about the header I thunk we should be
>> adding it as known and allowing some security controls over it.
>>
>> Patch coming. What release of Squid are you using?
>
> squid-3.0.15 is what I show.
>
> Thanks for the help - I await news.
>
> Kurt
Please find attached a patch for 3.0 that adds the headers so
header_access can remove them.
This should apply with -p0, or if not on your version on the current
snapshots.
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.7
This archive was generated by hypermail 2.2.0 : Sun May 17 2009 - 12:00:01 MDT