Hi,
On Fri, May 23, 2008 at 9:27 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>
> request_header_access X-Forwarded-For deny all
>
> Note mixed-case HTTP name, not the PHP internal variable name.
>
The problem is, I do want "X-Forwarded-For", if it is added by my
squid, but not client. Since I can trust my squid but not my client.
If setting the "request_header_access X-Forwarded-For deny all", my
PHP even cannot get the "unknown" value even if I am using
"forwarded_for on"
Btw, If I use Firefox Modify Header to add my custom "X_FORWARDED_FOR"
(note the case), my PHP can still get the "HTTP_X_FORWARDED_FOR"
header, maybe this is a potential security hole?
Howard
Received on Fri May 23 2008 - 14:41:49 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 05 2008 - 01:05:14 MDT