HTTP

Configure > Protocols > HTTP > General

HTTP Proxy Server Port

Specifies the port that Content Gateway uses when acting as a Web proxy server for HTTP traffic or when serving HTTP requests transparently. The default port is 8080.

If you change this option, you must restart Content Gateway.

Secondary HTTP Proxy Server Ports

For explicit proxy configurations only, specifies additional ports on which Content Gateway listens for HTTP traffic.

Transparent proxy configurations always send all HTTP traffic to port 8080.

Unqualified Domain Name Expansion

Enables or disables .com name expansion. When this option is enabled, Content Gateway attempts to resolve unqualified hostnames by redirecting them to the expanded address, prepended with www. and appended with .com. For example, if a client makes a request to company, Content Gateway redirects the request to www.company.com

If local domain expansion is enabled (see DNS Resolver), Content Gateway attempts local domain expansion before .com domain expansion; Content Gateway tries .com domain expansion only if local domain expansion fails.

Send HTTP 1.1 by Default

Enables the sending of HTTP 1.1 as the first request to the origin server (the default). If the origin server replies with HTTP 1.0, Content Gateway switches to HTTP 1.0 (most origin servers use HTTP 1.1). When disabled, HTTP 1.0 is used in the first request to the origin server. If the origin server replies with

HTTP 1.1, Content Gateway switches to HTTP 1.1.

Reverse DNS Enables reverse DNS lookup when the URL has an IP address (instead of a hostname) and there are rules in filter.config or parent.config. This is necessary when rules are based on destination hostname and domain name.
Tunnel Ports

Specifies the ports on which Content Gateway allows tunneling. This is a space separated list that also accepts port ranges (e.g. 1-65535).

When SSL is not enabled, all traffic destined for the specified ports is allowed to tunnel to an origin server.

When SSL is enabled, traffic to any port that is also listed in the HTTPS ports field is not tunneled, but is decrypted and filtering policy is applied.

HTTPS ports

When SSL support is enabled, specifies ports on which HTTPS traffic is decrypted and policy is applied. Note that Content Gateway receives HTTPS traffic on the port specified in Configure > Protocols > HTTP > HTTPS Proxy: Server Port.

When SSL support is disabled, traffic to these ports is not decrypted. However, filtering policy is applied based on:

  • Explicit proxy: the server hostname in the CONNECT request.
  • Transparent proxy: the SNI hostname or the server hostname in the server’s certificate. If the hostname in the server’s certificate includes a wildcard (*), the lookup is performed on the destination IP address.
FTP over HTTP: Anonymous Password Specifies the anonymous password Content Gateway must use for FTP server connections that require a password. This option affects FTP requests from HTTP clients.
FTP over HTTP: Data Connection Mode

An FTP transfer requires two connections: a control connection to inform the FTP server of a request for data and a data connection to send the data. Content Gateway always initiates the control connection. FTP mode determines whether Content Gateway or the FTP server initiates the data connection.

Select PASV then PORT for Content Gateway to attempt PASV connection mode first. If PASV mode fails, Content Gateway tries PORT mode and initiates the data connection. If successful, the FTP server accepts the data connection.

Select PASV only for Content Gateway to initiate the data connection to the FTP server. This mode is firewall friendly, but some FTP servers do not support it.

Select PORT only for the FTP server to initiate the data connection and for Content Gateway to accept the connection.

The default value is PASV then PORT.

Configure > Protocols > HTTP > Privacy

Insert Headers: Client-IP

When enabled, Content Gateway inserts the Client-IP header into outgoing requests to retain the client’s IP address.

This option is mutually exclusive with the Remove Headers: Client-IP option. When Insert Headers: Client-IP is enabled the Remove Headers: Client-IP option is automatically disabled.

Insert Headers: Client-IP and Remove Headers: Client-IP can both be disabled.

Insert Headers: Via When enabled, Content Gateway inserts a Via header into the outgoing request. The Via header informs the destination server of proxies through which the request was sent.

Insert Headers:

X-Forwarded-For

When enabled, Content Gateway inserts an X-Forwarded-For header into the outgoing request. The X-Forwarded-For value contains the originating IP address.

If enabled, header information is sent only to a configured parent proxy. To send header values for all outbound requests, enable proxy.config.http.insert_xff_to_external.

Remove Headers: Client-IP

When this option is enabled, Content Gateway removes the Client-IP header from outgoing requests to protect the privacy of your users.

This option is mutually exclusive with the Insert Headers: Client-IP option. When Remove Headers: Client-IP is enabled the Insert Headers: Client-IP option is automatically disabled.

Remove Headers: Client-IP and Insert Headers: Client-IP can both be disabled.

Remove Headers: Cookie When this option is enabled, Content Gateway removes the Cookie header from outgoing requests to protect the privacy of your users. The Cookie header often identifies the user that makes a request.
Remove Headers: From When this option is enabled, Content Gateway removes the From header from outgoing requests to protect the privacy of your users. The From header identifies the client’s email address.
Remove Headers: Referer When this option is enabled, Content Gateway removes the Referer header from outgoing requests to protect the privacy of your users. The Referer header identifies the Web link that the client selects.
Remove Headers: User-Agent When this option is enabled, Content Gateway removes the User-Agent header from outgoing requests to protect the privacy of your users. The User-Agent header identifies the agent that is making the request, usually a browser.
Remove Headers: Remove Others

Specifies headers other than From, Referer, User-Agent, and Cookie, that you want to remove from outgoing requests to protect the privacy of your users.

Use a comma separated list for multiple entries.

Configure > Protocols > HTTP > Timeouts

See this knowledge base article for a discussion of HTTP timeout options.
Keep-Alive Timeouts: Client

Specifies (in seconds) how long Content Gateway keeps connections to clients open for a subsequent request after a transaction ends. Each time Content Gateway opens a connection to accept a client request, it handles the request and then keeps the connection alive for the specified timeout period. If the client does not make another request before the timeout expires, Content Gateway closes the connection. If the client does make another request, the timeout period starts again.

The client can close the connection at any time.

Keep-Alive Timeouts: Origin Server

Specifies (in seconds) how long Content Gateway keeps connections to origin servers open for a subsequent transfer of data after a transaction ends. Each time Content Gateway opens a connection to download data from an origin server, it downloads the data and then keeps the connection alive for the specified timeout period. If Content Gateway does not need to make a subsequent request for data before the timeout expires, it closes the connection. If it does, the timeout period starts again.

The origin server can close the connection at any time.

Inactivity Timeouts: Client

Specifies how long Content Gateway keeps connections to clients open if a transaction stalls. If Content Gateway stops receiving data from a client or the client stops reading the data, Content Gateway closes the connection when this timeout expires.

The client can close the connection at any time.

Inactivity Timeouts: Origin Server

Specifies how long Content Gateway keeps connections to origin servers open if the transaction stalls. If Content Gateway stops receiving data from an origin server, it does not close the connection until this timeout has expired.

The origin server can close the connection at any time.

Active Timeouts: Client

Specifies how long Content Gateway remains connected to a client. If the client does not finish making a request (reading and writing data) before this timeout expires, Content Gateway closes the connection.

The default value of 0 (zero) specifies that there is no timeout.

The client can close the connection at any time.

Active Timeouts: Origin Server Request

Specifies how long Content Gateway waits for fulfillment of a connection request to an origin server.

If Content Gateway does not establish connection to an origin server before the timeout expires, Content Gateway terminates the connection request.

The default value of 0 (zero) specifies that there is no timeout.

The origin server can close the connection at any time.

Active Timeouts: Origin Server Response Specifies how long Content Gateway waits for a response from the origin server.
FTP Control Connection Timeout

Specifies how long Content Gateway waits for a response from an FTP server. If the FTP server does not respond within the specified time, Content Gateway abandons the client’s request for data. This option affects FTP requests from HTTP clients only.

The default value is 300.