cancel
Showing results for 
Search instead for 
Did you mean: 

VIA header modification - 403 errors from different Webservers

Hi,

we have a via header modification rule since 2013 but in the last month we got a few times issues with that, because some webservers were not accepting this modified via header, so I had to configure an exception for specific sites.. the name is a little bit confusing (the first rule should have the name "do not remove anything if URL matches in list...")

This is the error message that we get:

Because of the fact that the pages that sent this error have nothing in common I thought this might be a new security feature which some webservers are using... So my question is: is it enough just to write "secure proxy...." in the via header, or are there any specific parameters that this webservers are checking? So maybe I would have to write something similar like "secure proxy, 1.1.1.1, version foobar..." so it looks like a legitimate header..

Does anyone have the same experience?

thanks,

RP

0 Kudos
4 Replies
ifrank
Level 9

Re: VIA header modification - 403 errors from different Webservers

We had to entirely remove the VIA header for some web servers. Yahoo and Flickr are on that list.

0 Kudos
eelsasser
Level 15

Re: VIA header modification - 403 errors from different Webservers

Via headers are used to identify which proxy the traffic has gone through in order to avoid a proxy loop.

There is a possibility that the same request could go though the same proxy again and again. That is why each proxy should put a unique identifier into the header to identify itself.

However, if the routing of your traffic is simply enough, why not just remove the Via header entirely?

Alternatively, you don't have to use the header named "Via" it can be anything. I use a custom header to perform the same task, X-MWG-Via, and populate it with the UUID of the system it traversed.

Capture.png

0 Kudos
Troja
Level 14

Re: VIA header modification - 403 errors from different Webservers

Hi all,

i did some Investigation for Flickr, a Yahoo company | Flickr - Photo Sharing!. I saw the same behavior. When doing a check with "policy tracing central" on the first look it Looks like a wrong HTTP 301 Redirect Response from flickr.com.I have not decrypted the SSL traffic for deeper inspection. The only thing i noticed in the packet capture...

spdy.jpg

I found a info about this protocol: http://www.chromium.org/spdy/spdy-whitepaper

Could this protocol produce some Problems?

Cheers

0 Kudos
ifrank
Level 9

Re: VIA header modification - 403 errors from different Webservers

Spdy had been pushed by Google, and implemented in most modern browsers. It has now been superseded by HTTP2, to which Google engineers had contributed significantly. Google has since announced to abandon Spdy in favor of HTTP2.

I do not think it's related to this issue with Flickr and Yahoo.

By the way, in response to Erik's post... we also use a Rule Set here to mask the full proxy info. Still using the standards VIA header but removing it first and populating it with a custom string that allows us to track which node was processing the traffic, and enable us to catch a loop in a subsequent rule.

0 Kudos