Damn, that is f'ed up. And it is a huge Danish site used by almost
every single company in Denmark.
Thank you for your breakdown of the problem
Cheers,
Brian
2012/2/4 Amos Jeffries <squid3_at_treenet.co.nz>:
> On 2/02/2012 10:27 p.m., Per Jessen wrote:
>>
>> Brian Andersen wrote:
>>
>>> Hi I have squid running on a ubuntu server with shorewall. I am using
>>> the default squid config files and I have only blocked one site (which
>>> isn't virk.dk). All sites works perfectly, except http://virk.dk If I
>>> do not redirect my traffic through Squid it works perfectly
>>>
>>> Can any here please check that site (it is a public company site in
>>> Denmark), and maybe enlighten me on what settings I have to change to
>>> get it to work.
>>
>> It doesn't work here either - to start with, I've blacklisted it:
>>
>> acl virkdk dstdomain .virk.dk
>> cache deny virkdk
>>
>> I'm not sure if that works, I'm pretty certain I see this message in the
>> log on every first attempt to access http://virk.dk:
>>
>> Invalid chunk header '#037213#010'
>>
>
> Aha. That would be one of the problem.
>
> I've just run a few tests.
>
> The server seems to be very broken.
>
> When HTTP/1.1 clients send it an invalid request (missing Host) it works
> fine. WTF?
>
> When HTTP/1.1 clients send it a valid a request it responds with
> Transfer-Encoding headers stating that the response is chunked encoded twice
> (two layers to decode).
> BUT... the response is only chunked once.
>
> When HTTP/1.0 clients send it any request it still responds with
> Transfer-Encoding headers.
> * Only one encoding is indicated, BUT HTTP/1.0 clients do not support
> chunked encoding and MUST NOT be sent such headers.
> * On top of that mess, the body is not actually encoded.
>
>
> 'GET /cms/render/live/da/sites/virk/home.html HTTP/1.0
> Host: virk.dk
> User-Agent: squidclient/3.3
> Accept: */*
> Connection: close
>
> '
> Resolving... virk.dk
> Connecting... virk.dk(213.174.73.30)
> Connected to: virk.dk (213.174.73.30)
> HTTP/1.1 200 OK
> Set-Cookie: JSESSIONID=E2059352BD9CAA154835BE95F9597AF2; Path=/; HttpOnly
> Server: Apache-Coyote/1.1
> Expires: Wed, 09 May 1979 05:30:00 GMT
> Cache-Control: no-cache, no-store, must-revalidate, proxy-revalidate,
> max-age=0
> Pragma: no-cache
> Transfer-Encoding: chunked <--- Problem #1: HTTP/1.0 client getting
> chunked header.
> Vary: Accept-Encoding
> Date: Sat, 04 Feb 2012 00:46:04 GMT
> P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
> Content-Type: text/html;charset=UTF-8
> Connection: close
>
> <--- Problem #2: no chunked encoding.
> <!DOCTYPE html PUBLIC ...
> ...
>
>
>
> 'GET /cms/render/live/da/sites/virk/home.html HTTP/1.1
> Host: virk.dk
> User-Agent: squidclient/3.3
> Accept: */*
> Connection: close
>
> '
> Resolving... virk.dk
> Connecting... virk.dk(213.174.73.30)
> Connected to: virk.dk (213.174.73.30)
> HTTP/1.1 200 OK
> Set-Cookie: JSESSIONID=53C47E3818BC600A142F935214BB8CCA; Path=/; HttpOnly
> Server: Apache-Coyote/1.1
> Expires: Wed, 09 May 1979 05:30:00 GMT
> Cache-Control: no-cache, no-store, must-revalidate, proxy-revalidate,
> max-age=0
> Pragma: no-cache
> Transfer-Encoding: chunked <--- NOTE: first encoding: the body is encoded
> using chunked
> Vary: Accept-Encoding
> Date: Sat, 04 Feb 2012 00:59:54 GMT
> P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
> Content-Type: text/html;charset=UTF-8
> Transfer-Encoding: chunked <--- NOTE: second encoding: output of the first
> encoding is encoded using chunked.
> <-- Problem #3: RFC 2616 requires that chunked MUST NOT have another
> encoding applied on top of it (it must be the last encoding). First encoding
> was chunked.
> Connection: close
>
> 2000 <--- NOTE: this is what chunked encoding looks like in HTTP/1.1
> <--- Problem #4: the inner layer of chunking does not exist
> <!DOCTYPE html PUBLIC ...
> ...
>
> Amos
Received on Sun Feb 05 2012 - 09:55:33 MST
This archive was generated by hypermail 2.2.0 : Sun Feb 05 2012 - 12:00:02 MST