On 19/07/2014 2:55 a.m., Alex Rousskov wrote: > On 07/18/2014 01:32 AM, Amos Jeffries wrote: >> Some of the statisticas being brought up in the IETF HTTP/2 discussions >> is highlighting certain garbage headers which are unfortunately quite >> common. > > I join Eliezer in begging for pointers to relevant posts or pages. > > >> I have wondered about creating a registry of known garbage and simply >> dropping those headers on arrival in the parser. This would be in >> addition to the header registry lookup and masking process we have for >> hop-by-hop headers. >> >> Any other thoughts on this? > > We already have squid.conf options to drop headers. Folks that want to > focus on saving bandwidth may use them. We can publish the corresponding > configuration excerpts on the wiki. > > If those options are not enough, let's add more. If those options slow > Squid down too much, let's discuss optimizations (keeping in mind that > much better optimizations can probably be obtained by preserving header > blobs during forwarding). > > However, please do not hard-code policing of messages Squid can grok, > especially in the parser.
See my post in reply to Eliezer. the general garbage ones we could leave to admin. But the connection: and content-length header mangling, and some of the other security bypasses have deeper implications and special processing may be needed to cleanup properly. ie drop a cneonction: header and also drop any it lists just to be safe, or reject requests with cteonnt-length: header in self defense. Amos