Hi Amos,
On Thu, Mar 17, 2011 at 12:49:20AM +1300, Amos Jeffries wrote:
> >
> > I don't get this to work in Squid 3. The 'header_access' option
> > has been split into {request,reply}_header_access, and 'header_replace'
> > seems to have been changed to only apply to request headers.
>
> AFAIK header_replace has only ever worked on request headers passing
> through to some external server.
No, in Squid 2 it also works for (Squid generated) reply headers,
we use this on our production servers as described.
> You want reply_header_access with the same logic to strip away
> "Proxy-Authenticate: NTLM"
Yeah, but reply_header_access only allows filtering by header name,
not header value, AFAIK.
> I have plans to add ACL testing to decide which auth types get added to
> the challenge headers in the first place. For exactly this type of
> restriction. But have no time to code it myself anytime soon. If you or
> anyone wants to do the work and test it I'm happy to advise and mentor
> the coding.
This sounds nice. But there are probably other use cases where
replacing reply headers could be useful. The small patch* attached
introduces a new config file option 'reply_header_replace' to do
this. This gets our old workaround working again.
To be consistent with the naming change of header_access in Squid 3,
header_replace should be renamed to request_header_replace, I think.
I'd be glad to send patches, if you're interested.
Thanks,
Marco
* Created with 'bzr send'; never used bzr before, so I don't know
if this is the usual way to send patches around...
This archive was generated by hypermail 2.2.0 : Fri Mar 18 2011 - 12:00:03 MDT