MantisBT - Endian Firewall
View Issue Details
0001083Endian FirewallProxy HTTPpublic2008-07-04 18:232009-10-27 13:00
simon-endian 
simon-endian 
normalminoralways
closedfixed 
 
2.3 
0001083: http://msnbc.msn.com [^] [http://msnbc.msn.com [^]] does not work with squid (chunked header)
msnbc return an http1.1 chunked header to the http1.0 request of squid. squid 2.6 canĀ“t handle the chunked header -> cache_log says: Oversized chunk header on port 55599, url http://www.msnbc.msn.com [^]
could not find other website with the same problem
needsfix
parent of 0001329closed peter-endian havp needs to be upgraded due to chunked header problem 
has duplicate 0001510closed simon-endian www.msnbc.msn.com is being block 
related to 0001588closed peter-endian Proxy loop in cache.log 
Issue History
2008-07-04 18:23simon-endianNew Issue
2008-07-04 18:23simon-endianStatusnew => assigned
2008-07-04 18:23simon-endianAssigned To => simon-endian
2008-07-04 18:26simon-endianNote Added: 0001414
2008-07-04 18:26simon-endianStatusassigned => confirmed
2008-07-04 18:26simon-endianResolutionopen => not fixable
2008-07-04 18:26simon-endianProduct Version2.2-rc1 =>
2008-07-04 18:26simon-endianSummaryhttp://msnbc.msn.com [^] does not work with squid (junked header) => http://msnbc.msn.com [^] does not work with squid (chunked header)
2008-07-07 16:37simon-endianStatusconfirmed => resolved
2008-07-15 18:34trungStatusresolved => feedback
2008-07-15 18:34trungResolutionnot fixable => reopened
2008-07-15 18:34trungNote Added: 0001446
2008-09-10 15:14simon-endianNote Added: 0001595
2008-09-10 15:14simon-endianStatusfeedback => resolved
2008-09-10 15:14simon-endianResolutionreopened => fixed
2008-09-10 15:26simon-endianStatusresolved => confirmed
2008-09-10 18:12chris-endianTag Attached: needsfix
2008-09-10 18:57AnonymousStatusconfirmed => feedback
2008-09-10 18:58peter-endianStatusfeedback => confirmed
2008-09-12 10:02chris-endianNote Added: 0001612
2008-09-12 12:48chris-endianNote Added: 0001613
2008-09-15 20:10peter-endianIssue cloned: 0001329
2008-09-15 20:10peter-endianRelationship addedparent of 0001329
2008-09-15 20:14peter-endianNote Added: 0001620
2008-09-29 10:32simon-endianStatusconfirmed => resolved
2008-09-29 10:32simon-endianFixed in Version => 2.2
2008-09-29 10:32simon-endianNote Added: 0001648
2008-12-15 09:55simon-endianRelationship addedhas duplicate 0001510
2009-03-16 00:50bonaldNote Added: 0002046
2009-03-16 00:50bonaldStatusresolved => feedback
2009-03-16 00:50bonaldResolutionfixed => reopened
2009-04-02 21:53peter-endianRelationship addedrelated to 0001588
2009-06-05 19:52peter-endianNote Added: 0002471
2009-06-10 16:03peter-endianStatusfeedback => resolved
2009-06-10 16:03peter-endianFixed in Version2.2 => 2.3
2009-06-10 16:03peter-endianResolutionreopened => fixed
2009-10-27 13:00peter-endianStatusresolved => closed

Notes
(0001414)
simon-endian   
2008-07-04 18:26   
there is a workaround. which seems to solve the problem:

- connect to your firewall per ssh
- open/create the file /var/efw/proxy/custom-acl.conf (for example: nano /var/efw/proxy/custom-acl.conf)
- put the following lines inside the file

acl chunked dstdomain .msnbc.msn.com
header_access Accept-Encoding deny chunked

- save the file and restart the proxy by executing restartsquid.py
(0001446)
trung   
2008-07-15 18:34   
Hi Simon,

Somwhow, this is related HAVP also, check this http://havp.hege.li/forum/viewtopic.php?f=3&t=374 [^]

Thanks,

Trung
(0001595)
simon-endian   
2008-09-10 15:14   
thanks for the info! i will check this

regards,
Simon
(0001612)
chris-endian   
2008-09-12 10:02   
Hi,

EFW's Squid ( squid-2.6.STABLE18-5.endian6 ) shows the problem,
but a freshly compiled upstream Squid of the same version
( squid-2.6.STABLE18 ) does NOT show the problem.

It must be related to EFW's squid configuration or to the proy
chain (havp?).

I'll continue investigating this.

Bye,
Chris
(0001613)
chris-endian   
2008-09-12 12:48   
Hi again,

the problem is related to exactly this directive in squid.conf:

  header_access Via deny all

commenting it out in efw -> msnbc works again
adding it to freshly compiled squid -> msnbc doesn't work anymore.

We need to evaluate the possibility to remove this line altogether...

Bye,
Chris.
(0001620)
peter-endian   
2008-09-15 20:14   
havp is now updated which applies the via fix.
(0001648)
simon-endian   
2008-09-29 10:32   
header_access Via deny all is now removed from squid.conf.tmpl
(0002046)
bonald   
2009-03-16 00:50   
removing the line
header_access Via deny all

added a tons of Proxy-forwading loop in cache.log

Maybe we should run two instances of squid instead of just one.
(0002471)
peter-endian   
2009-06-05 19:52   
this issue is only with dansguardian enabled and havp disabled, because havp does not append himself to the Via header, but replaces the Via header with "1.0 PROXY", which breaks loop detection in squid