Sophie

Sophie

distrib > Mandriva > 2010.0 > i586 > media > contrib-release > by-pkgid > d265f71d7fce441fd72dd0a77d0f8893 > files > 247

apache-ssl-1.3.41_1.59-1mdv2010.0.i586.rpm

<?xml version="1.0" encoding="iso-8859-1" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
 <title>How do Firewalls handle 'Content-Encoding:'?</title>
 <meta name="author"      content="Michael Schr&ouml;pl" />
 <meta name="description" content="A description of the behaviour of some firewalls regarding compressed page contents" />
 <meta name="keywords"    content="firewall, HTTP, encoding, gzip, compression" />
 <style type="text/css">
body{font-family:sans-serif;margin:0px 30px 0px 30px;}
h1{font-size:22px;margin-top:20px;}
h2{font-size:18px;margin-top:14px;}
small{font-size:80%;}
td{vertical-align:top;}
tt{font-weight:bold;}
code,tt{font-family:"Courier New",monospace;}
h1,h2{margin-bottom:1px;}
p,td{margin-top:3px;margin-bottom:3px;}
p,ul,ol,li{font-size:17px;line-height:22px;}
ul,ol,li{margin-top:0px;margin-bottom:0px;}
img{border-width:0;}

#nav{position:absolute;top:30px;left:0px;font-size:14px;width:170px;font-weight:bold;margin:2px 2px 2px 30px;}
#nav[id]{position:fixed;}
#nav img{margin:5px;}
#nav p, #nav a:hover, #nav a{display:block;padding:3px;margin:2px;width:150px;font-size:15px;line-height:18px;}
#content{position:absolute;left:220px;right:30px;}
#mail{text-align:right;}
#icon{width:190px;float:left;}
#mail,#icon{margin-top:30px;}

@media screen {
body{color:#000;background-color:#f8ebd9;}
h1{color:#666;}
h2{color:#840;}
code{color:#333;}
em{color:#900;}
tt{color:#909;}
h1,h2,code,em,tt{background-color:inherit;}
.new13192a{color:#inherit;background-color:#ffd;}
.new13261a{color:#inherit;background-color:#eff;}
.bugfix{color:#fff;background-color:#f00;font-weight:bold;padding:0px 4px;}
#nav a{color:#530;background-color:transparent;}
#nav a{text-decoration:none;}
#nav p, #nav a:hover{color:#000;background-color:#fff;}
#nav p {border:1px #660 solid;}
#nav a {border:1px #666 dotted;}
}

@media print {
#icon,#nav{display:none;}
#content{position:absolute;left:0px;right:0px;}
}
 </style>
</head>

<body>

<div id="nav">

<img src="mod_gzip_logo.gif" height="47" width="102" alt="mod_gzip logo" />


<a title="mod_gzip - what's that, anyway?" href="index.htm">mod_gzip</a>



<a title="Compression of HTTP content using Content-Encoding" href="encoding.htm">Content-Encoding</a>



<a title="Which browsers can handle 'Content-Encoding: gzip'?" href="browser.htm">Browsers</a>



<p>Firewalls</p>



<a title="An example configuration for mod_gzip" href="config.htm">Configuration</a>



<a title="Complete description of mod_gzip status codes" href="status.htm">Status Codes</a>



<a title="Possible enhancements in future versions of mod_gzip" href="enhancements.htm">Enhancements</a>



<a title="Caching of negotiated HTTP responses" href="cache.htm">Caching</a>



<a title="Version history and change log for mod_gzip" href="versions.htm">Versions</a>



<a title="Other ressources about mod_gzip" href="links.htm">Links</a>


</div>

<div id="content">

<h1>How do Firewalls handle <code>Content-Encoding: gzip</code> ?</h1>

<h2><a id="task"></a>Tasks of a firewall</h2>
<p>One of the tasks of a firewall - whether company firewall or personal firewall on a client computer - is to remove 'dangerous' or 'unwanted' contents from received data.</p>
<p>This implies that the firewall <em>understands</em> this content.</p>
<p>Of course a correctly working firewall could just understand and unzip compressed content - as the procedure to be used is explicitly named inside the <code>Content-Encoding</code> HTTP header of the response.</p>

<h2><a id="easyway"></a>The 'easy way out'</h2>
<p>But some firewalls aren't just capable of doing so. As they still try to fulfill their task, they do something very unwanted: They just remove the <code>Accept-Encoding</code> header from the request to be sent!</p>
<p>By this no correctly working server will try to send encoded data now ... that's not really what we wanted because the transfer speed may potentially suffer massively from this.</p>
<p><em>Very stupid</em> Firewalls, like <strong>Zone Alarm</strong>, simply overwrite the <code>Accept-Encoding</code> header with arbitrary characters, like <code>Xxxxxx-Xxxxxxx: xxxx, xxxxxxx</code>. This will save them from sending the modified request packet in parts - they just throw the whole buffer to the communication line, as its length just hasn't changed.</p>
<p><em>A little less stupid</em> firewalls, like <strong>Cequrux</strong> from Version 4.1.8, read the HTTP header line by line and completely remove the <code>Accept-Encoding</code> line. Nevertheless this is just as annoying.</p>

<h2><a id="recognize"></a>How can I recognize this type of behaviour</h2>
<p>At least the user of a firewall has the opportunity to send some request to a <a href="http://www.schroepl.net/cgi-bin/http_trace.pl"><img class="linkicon" height="15" width="16" alt="arrow" title="external" src="extern.gif" />program</a> of his choice in the WWW and let it display the HTTP headers it received - so that at the user least knows what he got involved in ...</p>

<div id="icon">
 <a href="http://validator.w3.org/check/referer"><img alt="" title="valid XHTML 1.1" height="31" width="88" src="valid-xhtml11.png" /></a><a href="http://jigsaw.w3.org/css-validator/check/referer"><img alt="" title="valid CSS" height="31" width="88" src="valid-css.png" /></a>
</div>


<p id="mail">(<a href="mailto:michael.schroepl&#x40;gmx.de?subject=mod_gzip">Michael Schr&ouml;pl</a>, 2002-08-30)</p>

</div>

</body>
</html>

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional