[squid-users] Reverse Proxy Detected

creditu at eml.cc creditu at eml.cc
Wed Jul 31 21:41:24 UTC 2019


We have been using several squid servers in accelerator mode for a number of years mainly for load balancing to send public requests to backend servers.  The requests to the squids typically come via a well known commercial  caching service.   The squids don't do any caching, they just forward requests to the backend. 

Recently the vulnerability scanner that we use changed a plugin from Info level to Moderate for reverse proxy detection.  We need to mitigate this so the vulnerability scanner doesn't flag for the reverse proxy detection. 

On a non-production server I added the following.  This seems to mitigate the vulnerability in the eyes of the scanner.  (I may be able to get away with not including the X-Cache-Lookup  line and still fix the issue.)  

via off
reply_header_access X-Cache deny all
reply_header_access X-Cache-Lookup deny all

This removes the headers for both the outgoing traffic to the Internet and the backend traffic to the webservers.  I have not seen any operational impact of doing this, but wanted get some feedback on if there is a better way to fix this issue and if I am missing any possible implications.

Also, does the following have the same effect as "via off"?
reply_header_access Via deny all

 


More information about the squid-users mailing list