ACL reply_header_access

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

ACL reply_header_access

creditu
We have been using several squid servers in accelerator mode for a number of years mainly for load balancing to send public requests to backend servers.  The requests to the squids typically come via a well known commercial  caching service.   The squids don't do any caching, they just forward requests to the backend.

I need to remove the  X-Content-Type-Options: nosniff reply header when it's only going to a specific service that queries our web farm.

I believe I can remove it from all replies by using reply_header_access X-Content-Type-Options deny all.  But, I need an ACL that will only remove it from those responses going to that service (client).  

I'm used to writing ACLs based on Internet to our farm requests not the outbound to the clients.  I'm having trouble getting my head around the logic on the acl directives to use.  Do I need to look at the reply headers and craft the ACL based on that?   Can you write and ACL based on the original request from the client?  

What I'd like to be able to do is write a acl that does not send back the X-Content-Type header to the client that requested: https://www.example.com/sound/ID/text/abcde.txt.  
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ACL reply_header_access

Amos Jeffries
Administrator
On 5/12/19 1:29 pm, creditu wrote:
> We have been using several squid servers in accelerator mode for a number of years mainly for load balancing to send public requests to backend servers.  The requests to the squids typically come via a well known commercial  caching service.   The squids don't do any caching, they just forward requests to the backend.
>
> I need to remove the  X-Content-Type-Options: nosniff reply header when it's only going to a specific service that queries our web farm.
>

Okay.

> I believe I can remove it from all replies by using reply_header_access X-Content-Type-Options deny all.  But, I need an ACL that will only remove it from those responses going to that service (client).
>
> I'm used to writing ACLs based on Internet to our farm requests not the outbound to the clients.  I'm having trouble getting my head around the logic on the acl directives to use.  Do I need to look at the reply headers and craft the ACL based on that?   Can you write and ACL based on the original request from the client?

There is no difference in the ACL themselves beyond what data they have
available depends on when in the transaction the directive using them
occurs.

When Squid needs to decide something there is usually a directive to
assist with the decision. reply_header_access is indeed the one to use
when deciding what HTTP reply headers get delivered to the client.


>
> What I'd like to be able to do is write a acl that does not send back the X-Content-Type header to the client that requested: https://www.example.com/sound/ID/text/abcde.txt.  

What you need to do is find an ACL which identifies the particular
client. eg 'src' ACL is simplest if the service IP is not shared or
changing. Otherwise you may need some other detail visible in the HTTP
request headers or TCP state.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users