In some cases, you receive a "Forbidden" or "HTTP 403 - Access Forbidden" message for a specific URL when IWSVA is set as the proxy.
This is because Content Cache is enabled in IWSVA. When using Content Cache, the outgoing HTTP request will add a "via" header that the web server does not support, and therefore it sends back the "Forbidden" message.
- Run a packet capture from IWSVA. To do this, go to Administration > Support > Network Packet Capturing tab > Select the correct network interface > Start Capturing > Reproduce the issue > Stop Capturing then download the packet capture.
Enter the following in the Filter:
ip.src == XXXXX
Where XXXXX is the IP address of IWSVA.
- Look for the GET request from IWSVA to the website in question.
- Right click the entry and select Follow TCP stream.
In the "Follow TCP stream" window, look for an entry containing the word "via"
Click image to enlarge
If you find the "via" entry and Content Cache is enabled (HTTP > Configuration > Content Cache), make the following changes:
- SSH to IWSVA.
Do a backup of the following configuration file:
cp /usr/iwss/ats/etc/trafficserver/records.config /usr/iwss/ats/etc/trafficserver/records.config.bak
Edit the original configuration file and set the value of the string below to 0:
CONFIG proxy.config.http.insert_request_via_str INT 0 (Default value is 1)
- Save and exit.
On the IWSVA web console, clear the content cache by going to HTTP > Configuration > Content Cache > Clear cache.Clearing a large cache may take a significant amount of time.