Cisco Cisco Web Security Appliance S360 故障排查指南

Why am I getting "Bad Request (Request Header Too Long)" error when going through the Cisco Web
Security appliance (WSA)?

Environment:

Cisco Web Security Appliance (WSA) any AsyncOS version

The error "Bad Request (Request Header Too Long)" is seen when the HTTP request header exceeds the
"header size limit" set on the destination server.

Normal HTTP requests don't hit this limit. However in certain cases, like the destination server requiring
authentication, the HTTP request header may grow, approaching the limit set on the destination server. If the
HTTP request header exceeds the header size configured on the destination server, then the server will send
"Bad Request (Request Header Too Long)" HTTP response.

When going through the WSA, WSA will add additional headers, such as "Via" header, to the HTTP request.
The headers added by WSA are typically optional HTTP headers which comply with HTTP RFC. On rare
occasions, the extra header which the proxy adds may cause the header limit to be exceeded on destination
server side.

The "Via" header can be disabled on our Web Security Appliance (WSA) from the Web GUI under:

"Security Services" > "Web Proxy" > "Edit Settings"

• 

Under "Headers ..", set the option to "Do not Send" for Via headers

• 

In AsyncOS versions 7.5 and above, we specifically disable the just the "Request Side VIA:" header which
would be sent to the destination servers.

Typically, the header size limit should also be configurable on the web server.

Configuration guide for changing the limit on IIS server: http://support.microsoft.com/kb/955585

Updated: Aug 12, 2014

Document ID: 118230