On 21/08/2014 5:08 a.m., Lawrence Pingree wrote:
> Personally I have found that the latest generation of Next Generation
> Firewalls have been doing blocking when they detect a via with a
> squid header,
Have you been making bug reports to these vendors?
Adding Via header is mandatory in HTTP/1.1 specification, and HTTP
proxy is a designed part of the protocol. So any blocking based on the
simple existence of a proxy is non-compliance with HTTP itself. That
goes for ports 80, 443, 3128, 3130, and 8080 which are all registered
for HTTP use.
However, if your proxy is emitting "Via: 1.1 localhost" or "Via: 1.1
localhost.localdomain" it is broken and may not be blocked so much as
rejected for forwarding loop because the NG firewall has a proxy itself
on localhost. The Via header is generated from visible_hostname (or the
OS hostname lookup) and supposed to contain the visible public FQDN of
the each server the message relayed through.
Amos
Received on Wed Aug 20 2014 - 23:10:36 MDT
This archive was generated by hypermail 2.2.0 : Thu Aug 21 2014 - 12:00:06 MDT