[squid-users] problems with SQUID 3.x and IBM Proventia from Udo Rader on 2009-04-22 (squid-users)

From: Udo Rader <listudo_at_bestsolution.at>
Date: Wed, 22 Apr 2009 15:57:41 +0200

Hi,

one of our customers has an issue with a Debian Lenny based squid 3.x in
connection with an IBM Proventia security appliance.

The setup is like this:

internet <-> proventia <-> squid

Now proventia comes with a transparent web content filter, removing
dangerous things (viruses, ...) from HTTP traffic.

Unfortunately this transparent filter rewrites the HTTP headers and
sometimes it even corrupts them in a way that squid cannot deal with it
and refuses to further process the content. The cache.log then contains
a message like this one:

-------CUT-------
2009/04/22 11:09:23| WARNING: HTTP header contains NULL characters
{Date: Wed, 22 Apr 2009 09:09:23 GMT
Server: Apache/2.0.53 (Linux/SUSE)
X-Powered-By: PHP/4.3.10
Content-Disposition: inline; filename="Lady.jpg
-------CUT-------

The problem probably is the missing trailing double quote at the end of
the filename.

I've verified the problem using telnet:

on the proxy server itself, connecting through proventia:
--------CUT--------
Proxy2:~# telnet www.example.com 80
Trying 192.168.1.0...
Connected to www.example.com
Escape character is '^]'.
GET
/main.php?g2_view=core.DownloadItem&g2_itemId=20129&g2_serialNumber=2
HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 22 Apr 2009 09:02:40 GMT
Server: Apache/2.0.53 (Linux/SUSE)
X-Powered-By: PHP/4.3.10
Content-Disposition: inline; filename="Lady.jpg
Last-Modified: Sat, 04 Apr 2009 11:46:36 GMT
Expires: Thu, 22 Apr 2010 09:02:40 GMT
Connection: close
Content-Length: 8234
Content-Type: image/jpeg
--------CUT--------

on the proxy server itself, connecting directly to the server (using a
ssh tunnel at port 8088)
--------CUT--------
Proxy2:~# telnet localhost 8088
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET
/main.php?g2_view=core.DownloadItem&g2_itemId=20129&g2_serialNumber=2
HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 22 Apr 2009 09:03:03 GMT
Server: Apache/2.0.53 (Linux/SUSE)
X-Powered-By: PHP/4.3.10
Content-Disposition: inline; filename="Lady.jpg"
Last-Modified: Sat, 04 Apr 2009 11:46:36 GMT
Content-length: 8234
Expires: Thu, 22 Apr 2010 09:03:03 GMT
Connection: close
Content-Type: image/jpeg
--------CUT--------

So of course the problem is proventia corrupting the HTTP headers and we
will raise an issue about that with IBM.

But for the time being: is there a chance to make squid more "tolerant"
about those kind of problems? Without surprize I did not find any
fitting config options :-)

-- 
Udo Rader, CTO
http://www.bestsolution.at
http://riaschissl.blogspot.com

Received on Wed Apr 22 2009 - 13:57:55 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 22 2009 - 12:00:02 MDT