Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 26 subscribers
  • Views 9108 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

via header in XG http proxy

Billybob

I was doing some testing on my XG today and noticed that the http proxy via header is enabled.

                                                                                     

Sophos Firmware Version SFOS 16.01.1

console> show http_proxy

HTTP add_via_header: on

........SNIP.........

I turned it off by using

console> set http_proxy add_via_header off

UTM9 doesn't behave the same way and the via header is not injected into every request. I was wondering what is the reasoning behind turning on the via header on http proxy? Also, the via header can be set as anything you want and we shouldn't be advertising our sophos proxy to the world with the exact port number.

There are other problems with via header and a quick google search presented this https://community.akamai.com/community/web-performance/blog/2015/05/06/beware-the-via-header-disabled-compression-can-have-a-performance-impact which necessarily says that different web servers reply differently to proxied web requests.

Regards

Bill



This thread was automatically locked due to age.
  • 0

    Hey BillyBob,

    Interesting find, looking at that page you linked, the gentleman there also points out that the HTTP 1.1 specification states that proxies must identify themselves with the VIA header. In the past, Astaro devs may have just disabled it by default because of any of many reasons but the XG seems to have been built with it enabled by default.

    Definitely agree that the VIA header should not be showing the full proxy host/IP and port information, to me it should just say "generic proxy" and leave it at that :)

    Adding that command to my notes because that could increase bandwidth consumption depending on usage :)

    Emile

  • 0 in reply to Emile Belcourt

    I understand what you are saying about http/1.1 specifications but I think if they are going to enable the via header by default, they need to give users the ability to switch it off via GUI. I have always disabled it on squid and UTM has it disabled also. I guess all I am saying is that breaking http/1.1 specifications doesn't affect the client as much as it probably would affect the server.

    But your point is taken, people can decide for themselves how they want to configure their proxies.

    Regards

    Bill

  • 0 in reply to Billybob

    Hi Billy,

    Given the option between compliance and non-compliance? Non-compliance is generally faster and more efficient :P

    Have you made a feature request? Will happily cast my vote on it!

    Emile

  • 0 in reply to Emile Belcourt

    I haven't made a feature request. I was wondering what other people thought about it and for some reason XG users are harder to engage than UTM users ;) The other problem is that a person's geekness level has to be high before they start looking at via headers on the proxy requests[:#] It may have unintended consequences for some home users but I think most admins can use the CLI to easily disable it if needed.

    Thanks for your perspective though, it kind of helped me weigh the pros and cons more effectively.

    Regards

    Bill

  • 0 in reply to Billybob
    I will give you my vote too. At least the feature is available from cli (as most of the XG settings). I love cli but not advanced users will not even look at http proxy settings. Nice idea Bill.