Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=CLI-system-http_proxy

http_proxy

You can set the various parameters for the HTTP proxy.

Note

If you set different minimum versions for the captive portal and web proxy using the command-line console, the web admin console shows only the minimum TLS version for the proxy. It also shows a warning that the minimum TLS versions for the captive portal and web proxy don't match.

Command

set http_proxy

Syntax

set http_proxy
add_via_header [on | off]
block_proxy_loop [on | off]
captive_portal_tlsv1_0 [on | off]
captive_portal_tlsv1_1 [on] [off]
captive_portal_x_frame_options [on | off]
lient_timeout <1-2147483647> [default]
connect_timeout <1-2147483647> [default]
core_dump [on | off]
disable_tls_url_categories [on | off]
disable_tls_url_categories
proxy_tlsv1_0 [on | off]
proxy_tlsv1_1 [on] [off]
relay_invalid_http_traffic [on | off]
response_timeout <1-2147483647> [default]
tlsciphers_server [cipher string]
tunnel_timeout <1-2147483647> [default]

Options

add_via_header [on | off]

Either add or remove the via header for traffic that passes through the proxy. The via header is used for tracking message forwards, avoiding request loops, and identifying the protocol capabilities of senders along the request and response chain.

block_proxy_loop [on | off]

Turn proxy loop blocking on or off. A proxy loop occurs when a proxy forwards a request to itself or receives a request from another proxy. When you turn on block_proxy_loop, the firewall drops traffic when it detects duplicate Via headers in packets.

To trace proxy loop logs, make sure block_proxy_loop is turned on and that the awarrenhttp service is in debug mode. This is turned off by default. Turning it on impacts performance, and you must turn it on only for troubleshooting purposes.

When a proxy loop is detected, the awarrenhttp.log file shows the message "Duplicate Via header values, proxy loop".

captive_portal_tlsv1_0 [on | off]

Allow or deny connections using TLS 1.0 to the captive portal.

We don't recommend using TLS 1.0 because it isn't secure. This should only be turned on if you require it for a specific business need.

captive_portal_tlsv1_1 [on] [off]

Allow or deny connections using TLS 1.1 to the captive portal.

We don't recommend using TLS 1.1 because it isn't secure. This should only be turned on if you require it for a specific business need.

captive_portal_x_frame_options [on | off]

Turn the x-frame-options header on or off for captive portal traffic The x-frame-options (XFO) is an HTTP response header, also referred to as an HTTP security header, has existed since 2008. In 2013 it was officially published as RFC 7034 but isn't an internet standard. This header tells the browser how to behave when handling a site’s content. The main reason for its introduction was to provide clickjacking protection by not allowing the rendering of a page in a frame. See RFC 7034.

client_timeout <1-2147483647> [default]

Sets the timeout in seconds for clients with established connections via the proxy. The available values are 1 to 2147483647. Default is 60.

connect_timeout <1-2147483647> [default]

Sets the timeout value in seconds for connections attempting to be made via the proxy. Available values are 1 to 2147483647. Default is 60.

core_dump [on | off]

Determines whether a coredump file will be created if the proxy encounters an error and crashes. Coredump files can help troubleshoot issues.

disable_tls_url_categories [on | off]

Allows you to turn on or turn off category lookup for SSL/TLS inspection rules. If disable_tls_url_categories is on, traffic isn't categorized.

This affects which SSL/TLS inspection rule is chosen. For SSL/TLS inspection rules, it only matches those with Categories and websites set to ANY. For example, if there's no SSL/TLS rule with value ANY for Categories and websites, no rule is matched if disable_tls_url_categories is on. The default behavior applies.

These settings also affect any web policy applied to the traffic. The traffic is uncategorized when a web policy is applied during the TLS handshake. The disable_tls_url_categories setting does not affect the categorization of URLs for HTTP or decrypted HTTPS traffic because the full packet contents are seen in these scenarios.

proxy_tlsv1_0 [on | off]

Allow or deny connections using TLS 1.0 through the proxy when HTTPS is decrypted.

We don't recommend using TLS 1.0 because it isn't secure. This should only be turned on if you require it for a specific business need.

proxy_tlsv1_1 [on] [off]

Allow or deny connections using TLS 1.1 through the proxy when HTTPS is decrypted.

We don't recommend using TLS 1.1 because it isn't secure. This should only be turned on if you require it for a specific business need.

relay_invalid_http_traffic [on | off]

Determines whether non-HTTP traffic sent over HTTP ports is relayed or dropped by the proxy. Some applications will send traffic over ports normally used by HTTP (80 and 443). In these instances, the proxy may not be able to handle the traffic, which can cause issues. If this is the case, we advise you bypass bypassing the proxy for this traffic.

response_timeout <1-2147483647> [default]

Sets the timeout in seconds that the proxy waits for a response from a new connection before the connection is terminated. Available values are 1 to 2147483647. Default is 60.

tlsciphers_server [cipher string]

Sets the supported ciphers for both captive portal and the proxy. This is specified in cipher string format.

Example:

HIGH:!RC4:!MD5:!aNULL

tunnel_timeout <1-2147483647> [default]

Sets the timeout value in seconds that the proxy waits for a response while trying to set up an HTTPS connection. Available values are 1 to 2147483647. Default is 300.