Re: [squid-users] x-forwarded-for Fail

From: <>
Date: Wed, 09 Oct 2013 21:53:04 -0700

On Wed, Oct 9, 2013, at 20:35, Amos Jeffries wrote:
> All such online header tools are really only delivering a report of the
> headers which reached them. None of them have ever displayed "The
> Truth"(tm). The internals of the browser itself contains a set of layers
> doing header additions and changes. The same is (supposed to be) true of
> every extra layer of software proxies across the network.

I just can't believe that someone would just keep a lying tool up.
Maybe I'll send him an email.

> This case is a great example of how no matter what header manipulation
> you do in your own proxy it cannot change what others are doing to the
> traffic elsewhere. The CDN he uses adding its own X-Forwarded-* headers.
> Your own upstream provider might add the X-Forwarded-For header adding
> details about you. Every proxy along the way removes existing hop-by-hop
> headers and adds new ones.

Crumcast shouldn't be manipulating my HTML headers; that would cost too

> One interesting case here is that if you add X-Forwarded-For on your
> requests, does that value show up at his end?

I did try setting it to, but it didn't fool him.

Interestingly I run NoScript and have all scripting turned off for his
site, yet he still comes up with my IP. Hm, maybe Crumcast is narcking
me out.

-- - One of many happy users:
Received on Thu Oct 10 2013 - 04:53:11 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 10 2013 - 12:00:05 MDT