Squid PKG don't support header_access~?



  • Hi all,

    I installed the squid package recently for the users, and some websites stop us from browsing due to the use of proxy server. The website works without using of the proxy.

    After checking, we find that the squid add two headers (HTTP_X_FORWARDED & HTTP_VIA) which forward the clients information. (client IP and proxy host with version detail -  xxxx:xxxx (squid/2.5.STABLE14) )

    This is really a problem which violate person/corporation's privacy, and consider as a security hole.

    We look into the squid documents and add the following options into the squid.conf which should stop such behavior, however, it doesn't work for the squid @ pfsense.

    Options:
          header_access Via deny all
          header_access X-Forwarded-For deny all
    Errors:
            parseConfigFile: line 57 unrecognized: 'header_access Via deny all'
            parseConfigFile: line 58 unrecognized: 'header_access X-Forwarded-For deny all'

    We understand that squid.conf would be rewrite during every reboot, and just test the modified config file with "squid -k parse". It seems that the squid package didn't built with the "enable-http-violations" option on.

    Would anyone please help to check and advice for the solution?

    Many Thanks



  • The squid package comes straight from the FreeBSD package repository with only our wrappers.  Sounds like they don't compile it with the options you want.

    –Bill



  • Thanks Bill.

    I just google for the port and find the following web: http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/squid/
    Is it the one mentioned ^^? ( I'm really new to FreeBSD)

    Would you please let me know if it is possilbe to recompile the squid pacakge with the option myself? Or, should I report to the port maintainer?

    Thanks in advance~



  • Keep in mind that your emails will have this same info, plus there are other ways (javascript etc) to get the client IP from the browser or track individuals (cookies etc).  As a security measure on it's own it's worthless (worse than in fact as it gives a false sense of security).  Use of the option also comes with all sorts of warnings for a good reason :)

    However, the FreeBSD port supports this just fine (just checked).



  • Thanks Havok for your explaination.

    Yes, the email may also disclose our client ip and the mail server info. And the  server info may not cause any privacy problem such as the client OS / server info (windows / linux / …Apache /IIS /...) - All common and well known environment~

    We would consider this as a feature instead of a security patch.

    the FreeBSD port supports this just fine (just checked).

    Many Thanks for the testing.
    Is it mean that the squid package @ pfsence support heade_access? Or, just the org FreeBSD port support that?

    This is quite important for me…I try many times to enable the feature under squid @ pfsence, but failed...

    IF this is the case, please kindly show me the way...



  • There are other headers that provide details about the browser, client OS etc (as the mail headers will provide details of the mail client, client OS etc).  You may want to visit http://network-tools.com/analyze/ and see what can be trivially done, even without those headers.

    I only tested the FreeBSD package, not the pfSense package.  My VMware build of pfSense shows the same error you see - no support for the "header_access" option.



  • Doh, I mistakenly thought we used the FreeBSD package of squid for our package.  Looks like we install it from pfSense.org.  Wonder what options were used in compiling that package.  If I get time, I'll see if the FreeBSD port works (chances are the reasons we have our own package are due to some of the addons - that are b0rked - we have for squid)

    –Bill


Log in to reply