gateway_error - X-BlueCoat-Via header: Are there known issues with removing the X-BlueCoat-Via header?
search cancel

gateway_error - X-BlueCoat-Via header: Are there known issues with removing the X-BlueCoat-Via header?

book

Article ID: 270511

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

User was not able to open <your_url_domain>- SG returned gateway_error

Disabling protocol detection made it work. However, further studies of the challenge revealed the below.

 

Remove X-Bluecoat-Via Header to avoid error - Network Error (gateway_error)

Remove X-Bluecoat-Via Header to avoid error - Network Error (gateway_error)

Additional Doc.: Gateway error linked with flight search

Installed to local policy following CPL:

 

<proxy>

  url.domain="<your_domain>" action.Remove_X-Bluecoat-Via(yes)

  define action Remove_X-Bluecoat-Via

    delete( request.header.X-BlueCoat-Via )

  end

 

and restored access to site work as well, but having SSL interception still in place.

 

In the end I decided to remove X-BlueCoat-Via header completely by CPL code:

 

<proxy>

  action.Remove_X-Bluecoat-Via(yes)

  define action Remove_X-Bluecoat-Via

    delete( request.header.X-BlueCoat-Via )

  end

 

Are there known issues with removing this header?

 

Are there better ways to get rid of X-BlueCoat-Via header than local CPL?

Environment

Release : SG/ASG/ISG

Resolution

The purpose of the ProxySG/Edge SWG sending the X-Bluecoat-Via header is to detect loops in the network. If the proxy receives a request with the exact same X-Bluecoat-Via header that it generates on the server-side then it knows that the request was generated from itself and it will not propagate the request onward.

Ref.: Why the Edge SWG(ProxySG) and Cloud SWG(formally known WSS) send a header "X-Bluecoat-Via:"

The X-Bluecoat-Via Header is used to keep the proxy from inspecting the traffic a second time should a loop in the network path occur.

Now, because some devices can generate errors due to the X-Bluecoat-Via header, it's OK to remove the header, and as guided in the Tech. Article below.

Remove X-Bluecoat-Via Header to avoid error - Network Error (gateway_error)

Also, please note that is part of security practice to restrict information about your internal network from being exposed. It is part of the RFC and thus mandatory for a Proxy Server to insert an X-Bluecoat-Via header so as to advise the receiving server that the request has been proxied. Most likely, this was done so that the server could be notified that a proxy server was used, but in recent times applications are usually proxy-aware and the server does not need this information (and likely this feature was never used.

So, there are no known/documented issues, with removing the X-Bluecoat-Via header.

Additional Ref.: How do I remove the X-BlueCoat-Via header from a request sent from the Edge SWG appliance to the Origin Content Server (OCS)

Powered by Wolken Software