Re: [squid-users] x-forwarded-for Fail

From: Amos Jeffries <>
Date: Thu, 10 Oct 2013 16:35:48 +1300

On 10/10/2013 9:05 a.m., Will Roberts wrote:
> I'm sure it wasn't malicious. That tool was put up in 2003. At some
> point in the past 10 years he probably put a reverse proxy in front of
> his site. Maybe you should email him and tell him he's broken his
> header tool.

But ... has he actually broken it? or is teh breakage something deeper,
like the assumption that it can be done at all?

All such online header tools are really only delivering a report of the
headers which reached them. None of them have ever displayed "The
Truth"(tm). The internals of the browser itself contains a set of layers
doing header additions and changes. The same is (supposed to be) true of
every extra layer of software proxies across the network.

This case is a great example of how no matter what header manipulation
you do in your own proxy it cannot change what others are doing to the
traffic elsewhere. The CDN he uses adding its own X-Forwarded-* headers.
Your own upstream provider might add the X-Forwarded-For header adding
details about you. Every proxy along the way removes existing hop-by-hop
headers and adds new ones.

One interesting case here is that if you add X-Forwarded-For on your
requests, does that value show up at his end?

Received on Thu Oct 10 2013 - 03:36:00 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 10 2013 - 12:00:05 MDT