How To Maintain the "X-Forwarding-for" Header for Internal Network/s While Excluding From External Networks

book

Article ID: 170085

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

This tech document discusses traffic behavior between networks when the "X-Forwarded-For" or "X-Bluecoat-Via" headers are included within packets.
 
Several key note(s):
  • These headers are only visible by ProxySG appliances when performing SSL Interception on related requests.
  • Within some topologies, per internal policy, it may be required to deny these specific headers. Under these circumstances and, in order to avoid blocking affected traffic, it will be required to remove these headers before the requests reach an upstream/internal device that may block them (e.g: an external firewall).
  • Within some topologies, per internal policy, it may also be required to remove the "X-Forwarded-For" or "X-Bluecoat-Via" headers for traffic reaching external networks, while retaining said headers for internal networks.
  • The purpose of this article is to provide CPL script code that can be used to make this exception possible.

 

Resolution

Apply the following CPL (Content Policy Language) script via either the proxy local file (Configuration > Policy > Policy Files) or a proxy VPM (Visual Policy Manager) CPL layer:

 

Example A

;########################################################################################
<Proxy>
client.address=1.2.3.0/24 url.address=!1.2.3.0/24 action.bluecoat(yes) Allow action.ControlRequestHeader1(yes)
   
define action bluecoat
delete(request.header.X-BlueCoat-Via)
end action bluecoat

define action ControlRequestHeader1
delete(request.header.X-Forwarded-For)
end action ControlRequestHeader1
;########################################################################################

 

Example B

;########################################################################################
<Proxy>
condition=Client_Subnets condition=!Internal_Destinations action.Delete_XForwarded_XVia_Headers(yes)  ALLOW
  
define condition Client_Subnets
client.address=1.1.1.0/24
client.address=2.2.2.0/24
client.address=3.3.3.0/24
end

define condition Internal_Destinations
url.address=4.4.4.0/24
url.address=5.5.5.0/24
url.address=6.6.6.0/24
end

define action Delete_XForwarded_XVia_Headers
    delete(request.header.X-BlueCoat-Via)
delete(request.header.X-Forwarded-For)
end action Delete_XForwarded_XVia_Headers
;########################################################################################

Note(s) 

  • The above CPL code removes the "X-Forwarding-For" and "X-Bluecoat-via" headers from processed packets that do not match the defined criteria. 
    • Headers remain in tact for the defined subnets, while removing them for all other requests. In the case of Example A, for instance, the headers are removed for all requests not pertaining to the 1.2.3.0/24 subnet. The script from Example A also only affects traffic between 1 source and 1 destination, whereas Example B affects multiple.
  • The source and destination conditions should be modified as needed.
  • To verify correct behavior after applying the above scripts, collect a proxy packet capture (Maintenance  >Service Information > Packet Captures) and review packets to determine if the headers in question were retained or removed per policy.
  • Also, keep in mind that SSL Interception (decryption) may affect the behavior of the script.