We have been using several squid servers in accelerator mode for a number of years mainly for load balancing to send public requests to backend servers. The requests to the squids typically come via a well known commercial caching service. The squids don't do any caching, they just forward requests to the backend.
Recently the vulnerability scanner that we use changed a plugin from Info level to Moderate for reverse proxy detection. We need to mitigate this so the vulnerability scanner doesn't flag for the reverse proxy detection. On a non-production server I added the following. This seems to mitigate the vulnerability in the eyes of the scanner. (I may be able to get away with not including the X-Cache-Lookup line and still fix the issue.) via off reply_header_access X-Cache deny all reply_header_access X-Cache-Lookup deny all This removes the headers for both the outgoing traffic to the Internet and the backend traffic to the webservers. I have not seen any operational impact of doing this, but wanted get some feedback on if there is a better way to fix this issue and if I am missing any possible implications. Also, does the following have the same effect as "via off"? reply_header_access Via deny all _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
