On 21/08/2014 5:08 a.m., Lawrence Pingree wrote: > Personally I have found that the latest generation of Next Generation > Firewalls have been doing blocking when they detect a via with a > squid header,
Have you been making bug reports to these vendors? Adding Via header is mandatory in HTTP/1.1 specification, and HTTP proxy is a designed part of the protocol. So any blocking based on the simple existence of a proxy is non-compliance with HTTP itself. That goes for ports 80, 443, 3128, 3130, and 8080 which are all registered for HTTP use. However, if your proxy is emitting "Via: 1.1 localhost" or "Via: 1.1 localhost.localdomain" it is broken and may not be blocked so much as rejected for forwarding loop because the NG firewall has a proxy itself on localhost. The Via header is generated from visible_hostname (or the OS hostname lookup) and supposed to contain the visible public FQDN of the each server the message relayed through. Amos
