Remove “Upgrade” header
The filtering engine now strips headers related to protocol upgrades, and removes ‘Alt-Svc’ and ‘Alternate response’ headers from responses. This stops clients upgrading to QUIC or HTTP/2 for example, if you implement decrypt and inspect on the Smoothwall. We recommend that UDP port 80 and 443 is also blocked on the firewall, to ensure the protocol fails back to TCP.
The web filter now inserts a “via” header to the web request to identify itself as a proxy. This can be turned off in the advanced web proxy settings if inserting this header stops a website from working.
Support for chunked encoding
The web filter now supports chunked Transfer-Encoding.
Support for Expect: 100-continue header
The web filter now provides support for the Expect: 100-continue header. As a consequence, the option to configure HTTP strict mode behaviour has been removed as it is no longer needed.
Managing content encodings
This ensures the web filter is able to examine and modify content even when content encoding is used.
Honour incoming X-Forwarded-For header
This is enabled on the Web proxy > Web proxy > Settings page under Advanced settings. This is intended for when there is a downstream proxy or load balancer that can insert an X-Forwarded-For header and one wishes to use the IP it contains for client identification in the Smoothwall.
Known Issues / Limitations
Pipelining is not supported - the requests are serialized.
Sites such as https://uk.movies.yahoo.com/ and https://www.flickr.com/ do not work with the via header enabled. For these sites to work, apply them in a ‘Do not inspect’ policy, or turn off the via header in the advanced web proxy settings.