No, I mean they are intentionally blocking with a configured policy, its not a 
bug. :) They have signatures that match Via headers and forwarded for headers 
to determine that it's squid. This is because many hackers are using bounces 
off open squid proxies to launch web attacks. 

-----Original Message-----
From: Amos Jeffries [] 
Sent: Wednesday, August 20, 2014 4:10 PM
Subject: Re: [squid-users] redirect loop

On 21/08/2014 5:08 a.m., Lawrence Pingree wrote:
> Personally I have found that the latest generation of Next Generation 
> Firewalls have been doing blocking when they detect a via with a squid 
> header,

Have you been making bug reports to these vendors?
 Adding Via header is mandatory in HTTP/1.1 specification, and HTTP proxy is a 
designed part of the protocol. So any blocking based on the simple existence of 
a proxy is non-compliance with HTTP itself. That goes for ports 80, 443, 3128, 
3130, and 8080 which are all registered for HTTP use.

However, if your proxy is emitting "Via: 1.1 localhost" or "Via: 1.1 
localhost.localdomain" it is broken and may not be blocked so much as rejected 
for forwarding loop because the NG firewall has a proxy itself on localhost. 
The Via header is generated from visible_hostname (or the OS hostname lookup) 
and supposed to contain the visible public FQDN of the each server the message 
relayed through.


Reply via email to