Easy and efficient ways of filtering HTTP headers and HTML tags have been
introduced in DeleGate
of version 7.6.1.
Undesirable headers from a security consideration, "Referer" for example,
can be stopped to be forwarded by a parameter like this:
HTTPCONF=kill-qhead:Referer
Unwelcom HTML tags, "SCRIPT" for example, can be disabled with a parameter
like this:
HTTPCONF=kill-tag:SCRIPT
Using external filters just to do filtering like above is no longer
recommended because of its inefficiency.
For people who have no experience with DeleGate
You can use DeleGate as a HTTP proxy for filtering like above with
a command line like this:
erase header fields listed in listOfHeaders before forwarding
a request/response message to server/client. "kill-qhead" is applied
only to request message to server and "kill-rhead" is applied only to
response message to client.
-- default: welcome.{dgp,shtml,html,cgi},index.{dgp,shtml,html,cgi},-dir.html
A list of index files or CGI scripts which should be used for URLs
of directories ending with "/" like "/path/". This is a list of
candidate file names. The list may be ended with "-dir.html" which
means a built-in index generator. If the list is empty, empty data
is substituted for index data.
search:pathOfSearchScript
-- default: none
The path of a CGI script to be applied for URLs with search part like
"/path?search". This is a global specification applied for all URLs.
Also you can specify a local search script for each MOUNT point like
This local specification is prior to the global one. A special local
specification "search:-" can be used just to ignore the global
specification for the MOUNT point.
-- default: HTTPCONF=nvserv:noauto
Automatically detects virtual servers in MOUNT parameters and notate
each of them as a MOUNT rule to be applied only to a virtual server.
It can be done manually by specifying "nvserv" MountOption
for each MOUNT parameter.
"nvserv:alias" means detecting target servers of host names with
common IP-addresses and notate them as virtual servers.
"nvserv:gen" means notating MOUNT parameters with "genvhost"
MountOption as virtual servers.
"nvserv:auto" is equivalent to "nvserv:alias,gen".
The guessing can be overridden by explicitly specifying
the avserv MountOption for each MOUNT parameter.
"nvserv:none" disables any treatment of virtual servers which are
detected automatically or specified explicitly by the "nvserv" MountOption.
methods:listOfAcceptableMethods
-- default: methods:OPTIONS,GET,HEAD,POST,PUT,...
-- See the output to LOGFILE with HTTPCONF=methods:"+"
Limit or add HTTP methods to be accepted.
Example:
HTTPCONF=methods:GET,HEAD -- accept only GET and HEAD HTTPCONF=methods:-POST,-PUT -- don't accept POST and PUT HTTPCONF=methods:+,NEWMETHOD1 -- add NEWMETHOD1 to be accepted HTTPCONF=methods:* -- accept any methods
rvers:listOfAcceptableResponseVersions
-- default: rvers:HTTP
Add versions in response message from HTTP servers.
Example:
HTTPCONF=rvers:+,ICY HTTPCONF=rvers:* -- accept any response version
encrypt specified attributes in a Set-Cookie response to be stored in a client,
then decrypt and forward the Cookie request only to the originator
of the Cookie.
An attribute in a Cookie is specified as "attribute@host"
or "attribute@.domain".
In the former case, a cookie generated by a host is encrypted
and echoed to host only.
In the latter case, a cookie generated by hosts in the domain
can be echoed to hosts in the domain.
The special string "%a" in cryptKey is substituted by
the IP-address of the client. This makes the crypted Cookie be usable
only by clients on the host of the IP-address.
act as a HTTP/1.0 client against servers (send request in HTTP/1.0)
clver:1.0
act as a HTTP/1.0 server against clients
(do not use chunked encoding in response)
acc-encoding:encoding [-thrugzip]
Accept-Encoding header to be sent to server.
This is applied to DeleGate which does some interpretation of content
with MOUNT, CHARCODE, CACHE, etc. To do such interpretation, the content
(response body) is not to be encoded in a format unknown to DeleGate.
"identity" specifies disabling any encoding of content in the server.
"-thrugzip" specifies forwarding Accept-Encoding:gzip from client to server.
If the program "gzip" is not available on the host of DeleGate
(i.e. not found in LIBPATH),
"identity" is sent regardlessly.
gen-encoding:encoding [gzip]
The encoding applied to the content sent from DeleGate to client.
Only "gzip" is available in the current implementations.
"identity" and others disable any encoding.
max. interval between packets relayed on SSLtunnel
by the CONNECT method.
halfdup
Forbid full-duplex usage of SSLtunnel by the CONNECT method.
urlesc[:escChars] [empty]
the set of characters in request URL to be escaped by "%XX"
notation before any processing.
As a special case, HTTPCONF="urlesc" means HTTPCONF="urlesc:<>".
consume substring following "?_?" in request URL as control information for
the DeleGate; when DeleGate get request URL?_?proxycontrol,
only URL part is forwarded to the server
and proxycontrol part is (possibly) used by DeleGate.
cka-cfi
make connection with the client keep-alive even with external filter
(FCL, FTOCL).
listOfCodeType == [ respCode / ][ Type [ / subType ] ]
specify response code or Content-Type of response message
not to be logged in access log (PROTOLOG).
record FTP/HTTP transactions in xferlog format too.
bugs:listOfBugs
listOfBugs is a list of features to be disabled
to bypass possible bugs as follows:
no-gzip ... disable Content-Encoding:gzip
no-keepalive ... disable Connection:Keep-Alive
no-keepaliveproxy ... disable Connection:Keep-Alive with client side proxy
no-chunked ... disable Transfer-Encoding:chunked
no-flush-chunk ... disable flushing response after each chunk
kill-contleng ... erase original Content-Length in chunked encoding
add-contleng ... add or update Content-Length even in chunked encoding
do-authconv ... enable Authentication conversion from client's Basic to server's Digest
bugs:thru-304
disable the conversion from "304 Not Modified" to "200 Ok" in the message
as the response to a conditional request with the "If-Modified-Since" header.
DeleGate with external filters tries to return a HTTP response messages with
a body (with the code "200 Ok") when it is filtered (and possibly rewritten)
by the filters even if the body should be returned as empty (304 Not Modified)
based on the modification date (Last-Modified) of the target data.
This is necessary to return data rewritten dynamically by filters, but it
disables the merit by the conditional request and the "304" response.
"thru-304" turns the above conversion off and let DeleGate pass through
"If-Modified-Since" request from clients and the "Last-Modified" and
"304 Not Modified" response from servers.
svauth:no-basic
Stop forwarding Basic Authorization (which contains cleartext password)
from client to server.
If the server supports Digest authentication, then the DeleGate do it
by proxy of the client.
svauth:less-basic
Postpone forwarding Basic Authorization from client to server until
the server requires the Basic Authentication.