Re: [squid-users] Blocking or allowing specific arbitrary request headers in squid-3.1.

From: Graham Keeling <graham_at_equiinet.com>
Date: Wed, 17 Mar 2010 09:55:51 +0000

On Tue, Mar 16, 2010 at 09:46:44PM +0000, Amos Jeffries wrote:
> On Tue, 16 Mar 2010 14:06:59 +0000, Graham Keeling <graham_at_equiinet.com>
> wrote:
> > Hello,
> >
> > In older versions of squid, I was able to block or allow specific
> arbitrary
> > request headers. For example:
> >
> > header_access X-SomeRandomHeaderA allow all
> > header_access X-SomeRandomHeaderB deny all
> >
> > In squid-3.1 (and 3.0, I think), the equivalent of header_access for
> > request
> > headers is now request_header_access.
> >
> > But if I try this, squid gets upset and doesn't start:
> > request_header_access X-SomeRandomHeaderA allow all
>
> "allow all" is the default. You can ignore those settings.
>
> > request_header_access X-SomeRandomHeaderB deny all
> >
> > It says:
> > 2010/03/16 13:55:19| parse_http_header_access: unknown header name
> > 'X-SomeRandomHeaderA'
> >
> > So, it seems that you can only add headers that squid knows about
> > internally.
> > Which is what this page says:
> > http://www.squid-cache.org/Doc/config/request_header_access/
> >
> > You can only specify known headers for the header name.
> > Other headers are reclassified as 'Other'. You can also
> > refer to all the headers with 'All'.
> >
> > I could use 'Other', but it means that I have to treat all unknown
> headers
> > in the same way. Unless I'm missing something.
> >
> >
> > So, can anybody tell me how to block or allow specific arbitrary request
> > headers in squid-3.1?
> >
>
> Not possible in Squid-3. Removing random headers is a violation of HTTP
> protocol and can seriously break things when not understood.
>
> If you can present to us some information about these special headers that
> shows they are in fact deserving of stripping, we can add them.

Thanks for your reply.

What I am doing is using a url/content filter in front of squid.
I have the filter listening on two ports.
One port is for filtering with authentication.
One port is for filtering without authentication.

The filter adds a header that says which port a request came in on.

I then have a squid acl rule that matches the port in this header, which turns
on authentication in squid.

But, I don't want squid to then forward my new header out to the web server.
And I don't want to use 'Other' to block it, as that will block application X
and its proprietory headers.

> There is always the eCAP/ICAP filtering add-on interface now available for
> local control.
>
>
> Rant: I for one got tired of handling complaints because application X
> would not work through Squid when the admin stripped away all it's
> proprietary headers.
>
>
> Amos
Received on Wed Mar 17 2010 - 09:48:25 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 17 2010 - 12:00:04 MDT