Support Doc: X-Forwarded-For and VIA Headers

Version 4

     

    Introduction

     

    Have you noticed the Via and X-Forwarded-For headers added to your requests/responses when passing traffic through the MWG? Perhaps you've noticed them while troubleshooting or checking network tool sites like www.ifconfig.me. This guide will help you understand what these headers are for and give you best practices for using them.

     

    Whatsmyip.png

     

     

    Explanation: Via Header

    The Via Header is a general-header defined by RFC. The header is added by the MWG to outbound requests to the web and to responses going back to the client.  The Via header includes information for these recipients to indicate protocol capabilities, the IP address of the proxy, as well as the type/version of the proxy being used.

     

    Below is a screenshot that shows the Via Header in a packet capture:

     

    via header.png

     

     

    One of the main benefits to having a Via Header is that it can help prevent Proxy Loops.

     

    A proxy loop can happen when a proxy forwards a request either to itself or receives a request “back” from another proxy . The proxy keeps trying to serve the request and the process is repeated causing a loop.  You want to avoid proxy loops as the request that keeps looping will cause a large resource spike on your proxy which can lead to performance problems such as the proxy failing to pass traffic. When the Via header is added to the request, the proxy (MWG) will be able to identify and end the loop.

    Proxy Loop Examples


    Below is a visual example of a proxy loop:

     

    proxyloop example.png

     

     

     

    Below is what a request will look like in a proxy chain without the Via header.

     

    looptcp.png

     

    Client (pink): 10.10.72.1 – Proxy1 (blue): 10.10.72.5 - Proxy2 (green): 10.10.72.101

     

    • The first request to www.google.com is made by the client to Proxy1.
    • In the first blue packet, you can see Proxy1 makes the same request on behalf of the client to Proxy2.
    • Next, Proxy2 sends the same request back toProxy1. This is the start of the proxy loop.
    • Notice the request keeps being forwarded between Proxy1 and Proxy2. The client will never actually receive a response and eventually timeout. This is a Proxy Loop.  Because of the large amount of requests in a short time, a Proxy loop will eventually cause a CPU load and connection spike on both Proxies.

     

     

    Below is what a request willlook like in a proxy chain with the Via header.

     

    viatcp.png

     

    Client (pink): 10.10.72.1 – Proxy1 (blue): 10.10.72.5 - Proxy2 (yellow): 10.10.72.101

     

    • The first request to www.google.com is made by the client toProxy1.
    • In the first blue packet, you can see Proxy1makes the same request on behalf of the client to Proxy2.
    • The final request from proxy2 to proxy1 is in yellow. Notice that the request gets forwarded back to the proxy1 in our first yellow packet. Because the request came in with a Via header, the MWG’s proxy loop prevention kicks in as Proxy1 responds back with a 502 infinite proxy loop response. That response goes back the path it came until it reaches the client were it will be displayed as a block page.

    Explanation:X-Forwarded-For Header

    X-forwarded-for is a header used to keep track of the originating client IP connecting to a web server through a proxy or load balancer. This header can be used by other appliances such as firewalls to gather statistics about the originating client IP.

     

    Below is a screenshot that shows the X-Forwarded-For Header in a packet capture:

     

    xforwardedfor.png

     

     

    Best Practices

    Via header

    As the Via header can include sensitive network information that you may not want released, we recommend that it be modified to say a single word such as “Proxy”. Using the Via Header in this way can still protect you from proxy loops and also gives you security in knowing that network information is not being sent to the Internet.

     

    X-Forwarded-For

    As we discussed, the X-Forwarded-for header also includes network information you may not want released to the Internet. It is our recommendation that you remove this unless you have a device in your network that can take advantage of using this header.

     

    Note: There are situations in which web servers may act strange when they see the Via Header and/or x-forwarded-for headers. These are not common scenarios as properly coded servers are supposed to ignore headers they are not interested in.  In this case, it may be needed to remove these headers only for these specific web servers.

     

    We'll cover best practices for modifying and removing these headers below.

     

     

    Procedure

    The Procedure for removing these headers differs by version. Please find your version below and follow the instructions to remove the headers.

     

     

    Versions  < 7.2

    We’ll need to create the following rules to accomplish this:

    Set Via Text:This is the rule that will store the string you use in your modified Via Header. You need to modify this rule and replace “proxy A” with the value you want to have in place of the default Via header value.

    Check If Via Text Exists: This rule is here to prevent proxy loops by blocking requests with the modified Via Text. It does this by checking the Via Header value for the text defined in the “Set Via Text”.

    Modify Via: Ifthe Requests gets past the “Check If Via Text Exists”, we remove the current via header and add a new one with the value defined in the “Set Via Text” rule.

    Remove Via:This rule is disabled by default. It will remove the via header on a per site basis. Only enable this when a problem web server has troubles with the Via Header.

    Remove X-Forwarded-For: This rule will remove the X-Forwarded-For Header.

     

    Once the rule iscreated/imported, it will look this:

     

    under7.2 ruleset.png

     

     

     

     

     

     

    Remove Header: Via and X-Forwarded-For

    Enabled
      Applies to Requests: True / Responses: True / Embedded Objects: False
      Always

    Enabled

                    Rule

    Action

    Events

    Comments

    Enabled

    Set Via Text

    Always

    Continue

    Set User-Defined.viaText == “Proxy  A”

    This rule sets the value for the new Via Header

    Enabled

    Check if Via Text exists

     

    (Cycle.Name equals Request

     

    And

     

    Command.Name does not equal CERTVERIFY)

     

    And

     

    Header.Request.Exists(Via) equals True

     

    And

     

    Header.Request.Get(Via) Matches String.ToWildcard(String.Concat(“*”,  String.Concat(User-Defined.viaText, “*”)))

    Block

     

    This rule will block if the request if the Via header contains the  Via Text Value defined in the rule above

    Enabled

    Modify Via

    Always

    Continue

                                                

    Header.RemoveAll("Via")

    Header.Add("Via",    User-Defined.viaText)

      
      

    This rule modifies the ‘Via’ header

    Disabled

    Remove Via

    URL.Host matches in list Remove Via

    Continue

                                                

    Header.RemoveAll("Via")

      
      

    This rule removes the ‘Via’ header

    Enabled

    Remove X-Forwarded-For

    Always

    Continue

                                                

    Header.RemoveAll("X-Forwarded-For")

      
      

    This rule removes the ‘X-Forwarded-For’ header

     

     

    Version >=7.2

    The only difference in the rule set for version 7.2 and higher is that we added a Proxy Control setting that can be used to do this.

    Set Via Text:This is the rule that will store the string you use in your modified Via Header. You need to modify this rule and replace “proxy A” with the value you want to have in place of the default Via header value.

    Check If Via Text Exists: This rule is here to prevent proxy loops by blocking requests with the modified Via Text. It does this by checking the Via Header value for the text defined in the “Set Via Text”.

    Modify Via: If the Requests gets past the “Check If Via Text Exists”, we remove the current Via header and add a new one with the value defined in the “Set Via Text” rule.

    Remove Via:This rule is disabled by default. It will remove the via header on a per site basis

    Remove X-Forwarded-For: This rule will remove the X-Forwarded-For Header.

     

    Once the rule iscreated/imported, it will look this:

     

    7.2 ruleset.png

     

     

     

    Remove Header: Via and X-Forwarded-For

    Enabled
      Applies to Requests: True / Responses: True / Embedded Objects: False
      Always

    Enabled

                    Rule

    Action

    Events

    Comments

    Enabled

    Set Via Text

    Always

    Continue

    Set User-Defined.viaText == “Proxy  A”

    This rule sets the value for the new Via Header

    Enabled

    Check if Via Text exists

     

    (Cycle.Name equals Request

     

    And

     

    Command.Name does not equal CERTVERIFY)

     

    And

     

    Header.Request.Exists(Via) equals True

     

    And

     

    Header.Request.Get(Via) Matches String.ToWildcard(String.Concat(“*”,  String.Concat(User-Defined.viaText, “*”)))

    Block

     

    This rule will block if the request if the Via header contains the  Via Text Value defined in the rule above

    Enabled

    Modify Via

    Always

    Continue

                                                

    Header.RemoveAll("Via")

    Proxy Control<Disable Via    Header>

    Header.Add("Via",    User-Defined.viaText)

      
      

    This rule modifies the ‘Via’ header

    Disabled

    Remove Via

    URL.Host matches in list Remove Via

    Continue

                                                

    Header.RemoveAll("Via")

    Proxy Control<Disable Via    Header>

      
      

    This rule removes the ‘Via’ header

    Enabled

    Remove X-Forwarded-For

    Always

    Continue

                                                

    Header.RemoveAll("X-Forwarded-For")

      
      

    This rule removes the ‘X-Forwarded-For’ header

     

    Ruleset Downloads

    Version <7.2

    Version >=7.2

     

    Conclusion

     

    By reading this article, you learned about the Via and X-Forwarded-For headers and how to manage them using our best practices.