On Tue, Mar 16, 2010 at 09:46:44PM +0000, Amos Jeffries wrote:
> On Tue, 16 Mar 2010 14:06:59 +0000, Graham Keeling <gra...@equiinet.com>
> wrote:
> > Hello,
> > 
> > In older versions of squid, I was able to block or allow specific
> arbitrary
> > request headers. For example:
> > 
> > header_access X-SomeRandomHeaderA allow all
> > header_access X-SomeRandomHeaderB deny all
> > 
> > In squid-3.1 (and 3.0, I think), the equivalent of header_access for
> > request
> > headers is now request_header_access.
> > 
> > But if I try this, squid gets upset and doesn't start:
> > request_header_access X-SomeRandomHeaderA allow all
> 
> "allow all" is the default. You can ignore those settings.
> 
> > request_header_access X-SomeRandomHeaderB deny all
> > 
> > It says:
> > 2010/03/16 13:55:19| parse_http_header_access: unknown header name
> > 'X-SomeRandomHeaderA'
> > 
> > So, it seems that you can only add headers that squid knows about
> > internally.
> > Which is what this page says:
> > http://www.squid-cache.org/Doc/config/request_header_access/
> > 
> >     You can only specify known headers for the header name.
> >     Other headers are reclassified as 'Other'. You can also
> >     refer to all the headers with 'All'.
> > 
> > I could use 'Other', but it means that I have to treat all unknown
> headers
> > in the same way. Unless I'm missing something.
> > 
> > 
> > So, can anybody tell me how to block or allow specific arbitrary request
> > headers in squid-3.1?
> > 
> 
> Not possible in Squid-3. Removing random headers is a violation of HTTP
> protocol and can seriously break things when not understood.
> 
> If you can present to us some information about these special headers that
> shows they are in fact deserving of stripping, we can add them.

Thanks for your reply.

What I am doing is using a url/content filter in front of squid.
I have the filter listening on two ports.
One port is for filtering with authentication. 
One port is for filtering without authentication. 

The filter adds a header that says which port a request came in on.

I then have a squid acl rule that matches the port in this header, which turns
on authentication in squid.

But, I don't want squid to then forward my new header out to the web server.
And I don't want to use 'Other' to block it, as that will block application X
and its proprietory headers.

> There is always the eCAP/ICAP filtering add-on interface now available for
> local control.
> 
> 
> Rant:  I for one got tired of handling complaints because application X
> would not work through Squid when the admin stripped away all it's
> proprietary headers.
> 
> 
> Amos

Reply via email to