Client receives 'Content Encoding Error' exception page

book

Article ID: 168378

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

When the Origin Content Server (OCS) returns a content-encoding response header of one type but encodes the data differently, the Web Security Service (ThreatPulse cloud) displays the exception page to forbid the web access.

Content Encoding Error

Cause

The web server whose HTTP response headers indicate that it will be responding with one type of encoding, responds instead with a different type of encoding.

For example, what is commonly seen is that a web server returns a gzip compressed object, but the content is actually text.

 

If we take a PCAP when accessing this site, you can see that most of the responses have "Content-Encoding: gzip". 

Example:

We can see the response content is served in gzip (looks like garbage data).

===

Content-Encoding: gzip

Content-Length: 10116

.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe][email protected]{....{....;.N'...?\fd.l..J...!....?~|.?"~..7N...O.<y...<M...<...[Zf...>....g..y6;z...,.......>Z......w..y...._...?......x..Z......G..Z...^:;.,.].'..e..?.....VU.z-..Y;.l._..|......h...n.Y.....2..i]...Zv.........h....c..<O_.....K...U..>..iz.n.j.....*...][email protected]_....E5..e..z{o..xo...GG..JS..qY,...:?.wNdpw'U.6m......(..........y.....z.u...{e<.K.;..z.rL..W.

.t.......^.q.Ev..}.-....K.y..no+=.g.D.no...Mj.x....Gw.........<[..xZ-.....y.(....\..O^[email protected]

..uzxZW...]..`.?.....v#..{P.B....`..../2*....xwo.{......;....4.^.2......c. F..t..;@|v.,&.BB..?.k.(.].#[email protected],..e1}K..h%.}..tv....    

===

For this bad connection, we can see that in response header (Content-Encoding: gzip), 

 

However, the content is actually served in text/html (<html><head><title>Object moved).

=====

Content-Encoding: gzip

Content-Length: 178

 

<html><head><title>Object moved</title></head><body>

<h2>Object moved to <a href="http://portal.godependable.com/secure/ltl/tracking?id=0441453">here</a>.</h2>

</body></html>

=====

Resolution

Workaround

  1. If the clients connect through a PAC file or Unified Agent, add the OCS IP into Bypass List.

  2. If the method is through an IPSec tunnel, add the OCS IP into the bypass list of IPSec gateway (Firewall) so that it won't be forwarded to cloud service for processing.

  3. Or, contact the Webmaster of the site to fix their encoding issue.

Attachments