Quantcast

Access-Control-* headers missing when going through squid

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Access-Control-* headers missing when going through squid

djch
Hi everyone,

This is a super weird one!

This Pressreader site (http://sheppartonnews.pressreader.com/shepparton-news) gets a totally different (erroneous) response from the server when accessing it through squid on a particular school's network.

It doesn’t happen through any other squid box on any other network I’ve tried, yet at this site you bypass squid through the same gateway and its fine; you use squid and it fails.

The only errors I can see in the browser (that happen when it fails) are CORS errors on several of the requests. Comparing the headers it looks like the erroneous requests lack these from the response:

Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://sheppartonnews.pressreader.com
Access-Control-Expose-Headers: ndstate,X-PD-AProfile,X-PD-Profile,X-PD-Ticket,X-PD-Auth,X-PD-PAuth,X-PD-Token

No, the squid config we’re using never touches headers. Every HTTP/S request from the client is being allowed and is a 200/304 in both situations.

(see attached for the full request response headers)

Make any sense to anyone?


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

erroneous.txt (784 bytes) Download Attachment
normal.txt (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access-Control-* headers missing when going through squid

Amos Jeffries
Administrator
On 19/04/17 13:12, Dan Charlesworth wrote:

> Hi everyone,
>
> This is a super weird one!
>
> This Pressreader site (http://sheppartonnews.pressreader.com/shepparton-news) gets a totally different (erroneous) response from the server when accessing it through squid on a particular school's network.
>
> It doesn’t happen through any other squid box on any other network I’ve tried, yet at this site you bypass squid through the same gateway and its fine; you use squid and it fails.
>
> The only errors I can see in the browser (that happen when it fails) are CORS errors on several of the requests. Comparing the headers it looks like the erroneous requests lack these from the response:
>
> Access-Control-Allow-Credentials: true
> Access-Control-Allow-Origin: http://sheppartonnews.pressreader.com
> Access-Control-Expose-Headers: ndstate,X-PD-AProfile,X-PD-Profile,X-PD-Ticket,X-PD-Auth,X-PD-PAuth,X-PD-Token
>
> No, the squid config we’re using never touches headers. Every HTTP/S request from the client is being allowed and is a 200/304 in both situations.
>
> (see attached for the full request response headers)
>
> Make any sense to anyone?

Squid does not touch these headers itself unless you configure it to. So
something there is altering them. It may be external MITM stuff, or
Squid coping with broken input.

Try adding "debug_options 11,2" to see what is actually arriving and
leaving that proxy.


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access-Control-* headers missing when going through squid

djch
Thanks Amos.

As far as I can tell the only device upstream of the proxy is a relatively basic gateway/firewall. I doubt it's capable of messing with HTTP headers (and loading the site directly, as opposed to using the proxy lets it load fine behind the same gateway).

I’ve attached the debug output you suggested. Looks like the headers in the browser are the same as what arriving and leaving the proxy?




Best,
Dan

On 19 Apr 2017, at 2:41 pm, Amos Jeffries <[hidden email]> wrote:

Squid does not touch these headers itself unless you configure it to. So something there is altering them. It may be external MITM stuff, or Squid coping with broken input.

Try adding "debug_options 11,2" to see what is actually arriving and leaving that proxy.


Amos


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

pr-squid-debug-erroneous.txt (1K) Download Attachment
pr-squid-debug-normal.txt (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access-Control-* headers missing when going through squid

Amos Jeffries
Administrator
On 20/04/17 14:07, Dan Charlesworth wrote:
> Thanks Amos.
>
> As far as I can tell the only device upstream of the proxy is a
> relatively basic gateway/firewall. I doubt it's capable of messing
> with HTTP headers (and loading the site directly, as opposed to using
> the proxy lets it load fine behind the same gateway).
>
> I’ve attached the debug output you suggested. Looks like the headers
> in the browser are the same as what arriving and leaving the proxy?

Yes. Good proof there that Squid is not doing any breakage. The server
is itself producing that output.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...