Fireware “How To”
HTTP
How do I allow access to web sites with a missing Content Type?
Introduction
The HTTP proxy is a high performance content filter. It examines web traffic to identify suspicious content that can
be a virus, spyware, or another type of intrusion. It can also protect your web server from attacks from the external
network.
When a web server sends HTTP traffic, the RFCs require that the server adds a MIME type to the response before the
data is sent. The HTTP header Content Type: in the data stream contains this MIME type. When you configure the
HTTP proxy, you set rules that look for content type (MIME type) in HTTP response headers.
By default, the Firebox® denies MIME content that has no specified content type. Some web servers supply incorrect
MIME types to get around content rules. Some servers are misconfigured and do not send the Content Type header
at all, or send the header with no parameter. When a user tries to get access to a site with empty or missing Content
Type header, this is what appears in the browser:
Response denied by WatchGuard HTTP proxy.
Reason: header ‘Content-Type’ denied rule=’Default’ value=’(missing)’
We recommend that you keep this default proxy setting. Sites that do not supply legitimate MIME types in their
HTTP responses do not follow RFC recommendations and could pose a security risk. However, some organizations
need their employees to get access to web sites that do not have a specified content type. To enable this access, you
change one of the default settings in the HTTP proxy.
Is there anything I need to know before I start?
You must make sure that you change the proxy configuration of the correct policy or policies. You can apply the
change to any policy that uses an HTTP client proxy action. This could be an HTTP proxy policy, or the Outgoing policy (which also applies an HTTP client proxy action).
Configuring the HTTP proxy to allow content type ‘missing’
1
1
2
3
From Fireware® Policy Manager, double click the HTTP proxy icon.
Select the Properties tab.
From the Proxy action drop-down menu, select the appropriate outgoing client action.
4
5
6
Click the edit
icon.
In the Edit Proxy Action Configuration window, select Content Types from the Categories menu.
Click the Change View button.
7
Select the check box to enable the Allow (none) rule.
8
Click OK and save the new configuration file.
Frequently Asked Questions About This Procedure
I do not want to allow all web sites with missing content type. But there is one site I must allow. What can I do?
At this time, there is no way to create exceptions in a proxy action for individual sites. Instead, you can create a separate policy that allows access To: only specific sites.
When you limit the To field in a policy to a particular IP address, the policy has higher precedence than a policy that
allows connections To “Any” or “Any-External”. You change the default setting to allow missing content types in this
policy that has higher precedence. Then, this policy only applies for connections To the IP addresses specified. Other
connections “skip” this policy and will use HTTP policies with lower precedence. You leave the default setting in these
policies.
SUPPORT:
COPYRIGHT © 2006 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, the WatchGuard logo, Firebox, and Core are registered trademarks or trademarks of WatchGuard Techwww.watchguard.com/support
nologies, Inc. in the United States and/or other countries.
U.S. and Canada +877.232.3531
All Other Countries +1.206.613.0456
2