How To Maintain the "X-Forwarded-For" Header for Internal Network/s While Excluding From External Networks
Article ID: 170085
Updated On:
Products
Advanced Secure Gateway Software - ASG
ProxySG Software - SGOS
Issue/Introduction
This tech document discusses traffic behavior between networks when the "X-Forwarded-For" or "X-Bluecoat-Via" headers are included within packets.
Several key note(s):
- These headers are only visible by ProxySG appliances when performing SSL Interception on related requests.
- Within some topologies, per internal policy, it may be required to deny these specific headers. Under these circumstances and, in order to avoid blocking affected traffic, it will be required to remove these headers before the requests reach an upstream/internal device that may block them (e.g: an external firewall).
- Within some topologies, per internal policy, it may also be required to remove the "X-Forwarded-For" or "X-Bluecoat-Via" headers for traffic reaching external networks, while retaining said headers for internal networks.
- The purpose of this article is to provide CPL script code that can be used to make this exception possible.
Resolution
Apply the following CPL (Content Policy Language) script via either the proxy local file (Configuration > Policy > Policy Files) or a proxy VPM (Visual Policy Manager) CPL layer:
Example A
;######################################################################################## <Proxy> client.address=10.2.3.0/24 url.address=!10.2.3.0/24 action.bluecoat(yes) Allow action.ControlRequestHeader1(yes) define action bluecoat delete(request.header.X-BlueCoat-Via) end action bluecoat define action ControlRequestHeader1 delete(request.header.X-Forwarded-For) end action ControlRequestHeader1 ;########################################################################################
Example B
;########################################################################################
<Proxy>
condition=Client_Subnets condition=!Internal_Destinations action.Delete_XForwarded_XVia_Headers(yes) ALLOW
define condition Client_Subnets
client.address=10.1.1.0/24
client.address=10.2.2.0/24
client.address=10.3.3.0/24
end
define condition Internal_Destinations
url.address=10.4.4.0/24
url.address=10.5.5.0/24
url.address=10.6.6.0/24
end
define action Delete_XForwarded_XVia_Headers
delete(request.header.X-BlueCoat-Via)
delete(request.header.X-Forwarded-For)
end action Delete_XForwarded_XVia_Headers
;########################################################################################
Note(s)
- The above CPL code removes the "X-Forwarded-For" and "X-Bluecoat-via" headers from processed packets that do not match the defined criteria.
- Headers remain intact for the defined subnets, while removing them for all other requests. In the case of Example A, for instance, the headers are removed for all requests not pertaining to the 10.2.3.0/24 subnet. The script from Example A also only affects traffic between 1 source and 1 destination, whereas Example B affects multiple.
- The source and destination conditions should be modified as needed.
- To verify correct behavior after applying the above scripts, collect a proxy packet capture (Maintenance >Service Information > Packet Captures) and review packets to determine if the headers in question were retained or removed per policy.
- Also, keep in mind that SSL Interception (decryption) may affect the behavior of the script.
Feedback
Yes
No
Powered by
