It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall X

Websites are directly reachable but not via the HTTP proxy

  • Type: Knowledgebase
  • Date changed: one year ago

Solution #00005582


Scope:
This solution replies to:
- NG Firewall firmware versions 4.2.x, 5.0.x, 5.2.x
- netfence firmware versions 4.2.x


Symptoms:
It could happen, that websites are reachable directly but not via the HTTP proxy. The site will not be loaded, if the HTTP proxy is used.


Solution:
Some webservers does not accept anonymized HTTP requests from proxies. The NG Firewall HTTP proxy uses the option "forwarded_for" to add the "X-Forwarded-For" option in the HTTP header to anonymize the HTTP request. If the option got the the value "unknown", then webserver may block the request. To grant access to this webserver, you must enable the Client IP forwarding or delete the whole "X-Forwarded-For" from the HTTP header.
 
You can configure the "forwarded_for" in the "HTTP Proxy Settings" > "Advanced" > "Advanced squid.conf Entries" (you need the enabled "advanced view" of the NG Admin)

 

forwarded_for on ................... add the "real client IP" as value to the HTTP header

forwarded_for off ................... add "unknown" as value the HTTP header

forwarded_for delete ............ delete the "X-Forwarded-For" entry in the HTTP header

forwarded_for transparent .. will not alter the "X-Forwarded-For" entry in the HTTP header in any way
forwarded_for truncate ........ remove all existing "X-Forwarded-For" entries and place itself as the sole entry


Barracuda recommend the option "delete" if to keep the anonymity. If you use the "normal" engine in the NG firewall 4.2.x, then you must use the option "off".

 

Note:

The value "delete", "transparent" and "truncate" are only available for the squid3 engine, which is default in NG firewall 5.0.x and 5.2.x