Which features of HTTP/1.1 does the Smoothwall UTM / SWG support?

Article #: Product Castle
2731 UTM / SWG HTTP/1.1 - Leeds

Remove “Upgrade” header

The filtering engine now strips headers related to protocol upgrades, and removes ‘Alt-Svc’ and ‘Alternate response’ headers from responses. This stops clients upgrading to QUIC or HTTP/2 for example, if you implement decrypt and inspect on the Smoothwall. We recommend that UDP port 80 and 443 is also blocked on the firewall, to ensure the protocol fails back to TCP.

Via Header

The web filter now inserts a “via” header to the web request to identify itself as a proxy. This can be turned off in the advanced web proxy settings if inserting this header stops a website from working.

Support for chunked encoding

The web filter now supports chunked Transfer-Encoding.

Support for Expect: 100-continue header

The web filter now provides support for the Expect: 100-continue header. As a consequence, the option to configure HTTP strict mode behaviour has been removed as it is no longer needed.

Managing content encodings

This ensures the web filter is able to examine and modify content even when content encoding is used.

Honour incoming X-Forwarded-For header

This is enabled on the Web proxy > Web proxy > Settings page under Advanced settings. This is intended for when there is a downstream proxy or load balancer that can insert an X-Forwarded-For header and one wishes to use the IP it contains for client identification in the Smoothwall.

Known Issues / Limitations

Pipelining is not supported - the requests are serialized.

Sites such as https://uk.movies.yahoo.com/ and https://www.flickr.com/ do not work with the via header enabled. For these sites to work, apply them in a ‘Do not inspect’ policy, or turn off the via header in the advanced web proxy settings.

Attribution:

Last updated: Author: Contributions by:
10 October 2017 Tanja Erhardt