Squid configuration directive request_header_access

Available in: 3.3   3.2   3.1   3.HEAD   3.0  

History:

Changes in 3.2 request_header_access

Added support for custom request header names.

Changes in 3.0 request_header_access

Replaces the header_access directive of Squid-2.6 and earlier, but applies to requests only.

Configuration Details:

Option Name:request_header_access
Replaces:
Requires:--enable-http-violations
Default Value:none
Suggested Config:

	Usage: request_header_access header_name allow|deny [!]aclname ...

	WARNING: Doing this VIOLATES the HTTP standard.  Enabling
	this feature could make you liable for problems which it
	causes.

	This option replaces the old 'anonymize_headers' and the
	older 'http_anonymizer' option with something that is much
	more configurable. A list of ACLs for each header name allows
	removal of specific header fields under specific conditions.

	This option only applies to outgoing HTTP request headers (i.e.,
	headers sent by Squid to the next HTTP hop such as a cache peer
	or an origin server). The option has no effect during cache hit
	detection. The equivalent adaptation vectoring point in ICAP
	terminology is post-cache REQMOD.

	The option is applied to individual outgoing request header
	fields. For each request header field F, Squid uses the first
	qualifying sets of request_header_access rules:

	    1. Rules with header_name equal to F's name.
	    2. Rules with header_name 'Other', provided F's name is not
	       on the hard-coded list of commonly used HTTP header names.
	    3. Rules with header_name 'All'.

	Within that qualifying rule set, rule ACLs are checked as usual.
	If ACLs of an "allow" rule match, the header field is allowed to
	go through as is. If ACLs of a "deny" rule match, the header is
	removed and request_header_replace is then checked to identify
	if the removed header has a replacement. If no rules within the
	set have matching ACLs, the header field is left as is.

	For example, to achieve the same behavior as the old
	'http_anonymizer standard' option, you should use:

		request_header_access From deny all
		request_header_access Referer deny all
		request_header_access Server deny all
		request_header_access User-Agent deny all
		request_header_access WWW-Authenticate deny all
		request_header_access Link deny all

	Or, to reproduce the old 'http_anonymizer paranoid' feature
	you should use:

		request_header_access Allow allow all
		request_header_access Authorization allow all
		request_header_access WWW-Authenticate allow all
		request_header_access Proxy-Authorization allow all
		request_header_access Proxy-Authenticate allow all
		request_header_access Cache-Control allow all
		request_header_access Content-Encoding allow all
		request_header_access Content-Length allow all
		request_header_access Content-Type allow all
		request_header_access Date allow all
		request_header_access Expires allow all
		request_header_access Host allow all
		request_header_access If-Modified-Since allow all
		request_header_access Last-Modified allow all
		request_header_access Location allow all
		request_header_access Pragma allow all
		request_header_access Accept allow all
		request_header_access Accept-Charset allow all
		request_header_access Accept-Encoding allow all
		request_header_access Accept-Language allow all
		request_header_access Content-Language allow all
		request_header_access Mime-Version allow all
		request_header_access Retry-After allow all
		request_header_access Title allow all
		request_header_access Connection allow all
		request_header_access All deny all

	although many of those are HTTP reply headers, and so should be
	controlled with the reply_header_access directive.

	By default, all headers are allowed (no anonymizing is
	performed).

 

Back

Search

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors