Bug 34025 - Webpages respond with "Bad Request" after HTTP-Get with X-Forwarded-For Header "unknown" set by squid
Webpages respond with "Bad Request" after HTTP-Get with X-Forwarded-For Heade...
Product: UCS
Classification: Unclassified
Component: Squid
UCS 3.2
Other Linux
: P5 enhancement (vote)
: UCS 3.2-2-errata
Assigned To: Felix Botner
Sönke Schwardt-Krummrich
Depends on:
Blocks: 25762 34773
  Show dependency treegraph
Reported: 2014-01-31 09:46 CET by Michel Smidt
Modified: 2014-08-07 17:41 CEST (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Michel Smidt 2014-01-31 09:46:07 CET
It seems that some webpages can't parse the X-Forwarded-For HTTP-Header (e.g. turnier.de, alleturniere.de) if the header value is "unknown". The webpages respond with a "Bad Request".
By default in ucs the squid configuration directive for X-Forwarded-For is "off" (see /etc/univention/templates/files/etc/squid3/squid.conf line 219).
This yields to the described "unknown" value in the header.

Setting the configuration directive to "on" or "delete" according to squid-cache.org/Doc/config/forwarded_for/ works with the provided webpages.
I suggest "delete" as default value in the squid.conf.
Furthermore it should be possible to set the configuration directive in the ucr.
Comment 1 Janis Meybohm univentionstaff 2014-01-31 12:08:48 CET
We did some testing at Ticket: 2013103021001753 and had come to the conclusion that some web load balancers have problems if the X-Forwarded-For contains a value that can not be parsed to a IP address (e.g. "unknown").

As clients usually don't set the X-Forwarded-For header "transparent" (e.g. don't touch existing header send by the client) may be a better default then "on" and a lot better that "delete" (which would simply remove the header from all requests).
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2014-04-24 12:34:30 CEST
In UCS@school the HTTP header is required to determine the browsers IP address.
The option should be set via UCR.
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2014-05-08 09:41:38 CEST
As mentioned in http://www.squid-cache.org/Doc/config/forwarded_for/
valid values for the "forwarded_for" option are:
"on", "off", "delete", "truncate", "transparent".

Please use the UCR variable "squid/forwardedfor". The default should be "off" and only be set, if the variable is unset: "ucr set squid/forwardedfor?off"
Comment 4 Felix Botner univentionstaff 2014-05-09 10:03:26 CEST
Added squid/forwardedfor to univention-squid (default off) in errata3.2-2.

YAML: 2014-05-09-univention-squid.yaml
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2014-08-01 14:47:36 CEST
If the variable is unset, no value is written to the config file and creates an invalid configuration.
→ print "forwarded_for %s" % configRegistry.get("squid/forwardedfor", "")

I think, the default should be "off" instead of "".
Comment 6 Felix Botner univentionstaff 2014-08-01 16:37:50 CEST
Comment 7 Sönke Schwardt-Krummrich univentionstaff 2014-08-04 21:29:57 CEST
OK: code change
OK: default value
OK: UCR description
OK: YAML file
Comment 8 Janek Walkenhorst univentionstaff 2014-08-07 17:41:35 CEST