Re: [squid-users] Squid 2.7stable7 and ESPN3

From: Jason Howlett <jason_at_jkhowlett.com>
Date: Tue, 30 Nov 2010 18:39:03 -0700

Thanks guys. That fixed the problem. I have submitted a bug report at
the ESPN site. We'll see if it does any good...

On 11/30/2010 3:31 AM, Eric Vance wrote:
> Thanks Amos!
>
> I confirmed that adding the config option "forwarded_for off" does fix espn3.
>
> Can you please give me a little more detail of the risk posed by turning it off?
> If it was just espn3 I would try to get them to fix it but I wonder
> how many other sites have this same issue.
>
> Thanks!
>
> Eric
>
> On Tue, Nov 30, 2010 at 1:33 AM, Amos Jeffries<squid3_at_treenet.co.nz> wrote:
>> On 30/11/10 20:33, Eric Vance wrote:
>>> I have also had this issue. I was able to get the headers both going
>>> through squid and not. I noticed a few key differences (but skip to
>>> the end because I found the offending difference).
>>>
>>> Request Header without Squid:
>>>
>>>
>>> **************************************************************************************
>>> GET
>>> http://broadband.espn.go.com/espn3/auth/userData?format=json&page=index
>>> HTTP/1.1
>>> Host: broadband.espn.go.com
>>> Connection: keep-alive
>>> Referer: http://espn.go.com/espn3/index
>>> Accept: */*
>>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)
>>> AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
>>> Accept-Encoding: gzip,deflate,sdch
>>> Accept-Language: en-US,en;q=0.8
>>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
>>> Cookie: SWID=C2085447-B5B5-4B68-9A02-97B9BEB8AC0C; userAB=C;
>>> ESPN360beta=betaSet;
>>>
>>> DE2=KioqOyoqKjtyZXNlcnZlZDticm9hZGJhbmQ7NTs0OzQ7MDswMDAuMDAwOzAwMDAuMDAwOzk5OTs1MzgzOzM0MDM7MDsqKjs=;
>>> CRBLM=CBLM-001:; DS=PzswOz87; CRBLM_LAST_UPDATE=1291054796;
>>> s_vi=[CS]v1|2679F7630516263D-60000198C0083F11[CE];
>>> espnAffiliate=invalid;
>>>
>>>
>>> s_pers=%20s_c24%3D1291061231070%7C1385669231070%3B%20s_c24_s%3DLess%2520than%25201%2520day%7C1291063031070%3B%20s_gpv_pn%3Despn3%253Ainvalid%253Aindex%7C1291063031109%3B
>>>
>>> ***************************************************************************************
>>>
>>> Request header after Squid:
>>>
>>>
>>> ***************************************************************************************
>>> GET /espn3/auth/userData?format=json&page=index
>>> HTTP/1.0
>>> Host: broadband.espn.go.com
>>> Referer: http://espn.go.com/espn3/index
>>> Accept: */*
>>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)
>>> AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.5
>>> 17.44 Safari/534.7
>>> Accept-Encoding: identity
>>> Accept-Language: en-US,en;q=0.8
>>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
>>> Cookie: SWID=C2085447-B5B5-4B68-9A02-97B9BEB8AC0C; userAB=C;
>>> ESPN360beta=betaSet;
>>>
>>> DE2=KioqOyoqKjtyZXNlcnZlZDticm9hZGJhbmQ7NTs0OzQ7MDswMDAuMDAwOzAwMDAuMDAwOzk5OTs1MzgzOzM0MDM7MDsqKjs=;
>>> CRBLM=CBLM-001:; DS=PzswOz87; CRBLM_LAST_UPDATE=1291054796;
>>> s_vi=[CS]v1|2679F7630516263D-60000198C0083F11[CE];
>>> espnAffiliate=invalid;
>>> broadbandAccess=espn3-false%2Cnetworks-false;
>>>
>>> s_pers=%20s_c24%3D1291092114183%7C1385700114183%3B%20s_c24_s%3DLess%2520than%25201%2520day%7C1291093914183%3B%20s_gpv_pn%3Despn3%253Ainvalid%253Aindex%7C1291093914212%3B;
>>> lang=en;
>>> s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D16%3B;
>>> PREF=f2=8000000;
>>> Via: 1.0 ph:3128 (squid/2.7.STABLE9)
>>> X-Forwarded-For: 127.0.0.1
>>> Cache-Control: max-age=259200
>>> Connection: keep-alive
>>>
>>> ***************************************************************************************
>>>
>>> I manually issued this request changing one thing at a time until I
>>> found the breaking item. When I removed this line from the Squid
>>> version the response came back without the redirect (and I assume
>>> would then work correctly):
>>>
>>> X-Forwarded-For: 127.0.0.1
>>
>> D**m, suspected as much when that IP came back in your broken reply
>> javascript.
>>
>>> So, I guess the questions are:
>>> 1. Is this line necessary?
>> Yes and no.
>> Yes, ... because XFF is important for tracking network bugs down and
>> informing the origin client IP. As you noticed this is one site which uses
>> it to produce per-user content display.
>>
>> No, because 127.0.0.1 is a useless thing to be sending in there as the first
>> entry. It is an artifact of the way your particular requests went to Squid.
>>
>>> 2. Can it safely be removed?
>> Yes. If you are willing as the squid admin to shoulder all the blame for any
>> attacks made through your proxy.
>>
>>> 3. How can it be removed?
>> In 2.7 configure: forwarded_for off.
>>
>> There is something else you can do now that you know what and where the
>> problem is. You can pass this same report on to the webmaster of that site.
>> They are trusting the XFF trail too much.
>>
>> Amos
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE9 or 3.1.9
>> Beta testers wanted for 3.2.0.3
>>
Received on Wed Dec 01 2010 - 01:39:14 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 01 2010 - 12:00:03 MST