[squid-users] Reverse Proxy Detected
creditu at eml.cc
creditu at eml.cc
Wed Jul 31 21:41:24 UTC 2019
We have been using several squid servers in accelerator mode for a number of years mainly for load balancing to send public requests to backend servers. The requests to the squids typically come via a well known commercial caching service. The squids don't do any caching, they just forward requests to the backend.
Recently the vulnerability scanner that we use changed a plugin from Info level to Moderate for reverse proxy detection. We need to mitigate this so the vulnerability scanner doesn't flag for the reverse proxy detection.
On a non-production server I added the following. This seems to mitigate the vulnerability in the eyes of the scanner. (I may be able to get away with not including the X-Cache-Lookup line and still fix the issue.)
via off
reply_header_access X-Cache deny all
reply_header_access X-Cache-Lookup deny all
This removes the headers for both the outgoing traffic to the Internet and the backend traffic to the webservers. I have not seen any operational impact of doing this, but wanted get some feedback on if there is a better way to fix this issue and if I am missing any possible implications.
Also, does the following have the same effect as "via off"?
reply_header_access Via deny all
More information about the squid-users
mailing list