Re: [squid-users] x-forwarded-for Fail

From: Amos Jeffries <>
Date: Thu, 10 Oct 2013 19:14:08 +1300

On 10/10/2013 5:53 p.m., wrote:
> On Wed, Oct 9, 2013, at 20:35, Amos Jeffries wrote:
>> All such online header tools are really only delivering a report of the
>> headers which reached them. None of them have ever displayed "The
>> Truth"(tm). The internals of the browser itself contains a set of layers
>> doing header additions and changes. The same is (supposed to be) true of
>> every extra layer of software proxies across the network.
> I just can't believe that someone would just keep a lying tool up.
> Maybe I'll send him an email.
>> This case is a great example of how no matter what header manipulation
>> you do in your own proxy it cannot change what others are doing to the
>> traffic elsewhere. The CDN he uses adding its own X-Forwarded-* headers.
>> Your own upstream provider might add the X-Forwarded-For header adding
>> details about you. Every proxy along the way removes existing hop-by-hop
>> headers and adds new ones.
> Crumcast shouldn't be manipulating my HTML headers; that would cost too
> much.

HTML is a different story entirely from HTTP.
Manipuation of HTTP headers on every relay point they cross is mandatory.

>> One interesting case here is that if you add X-Forwarded-For on your
>> requests, does that value show up at his end?
> I did try setting it to, but it didn't fool him.
> Interestingly I run NoScript and have all scripting turned off for his
> site, yet he still comes up with my IP. Hm, maybe Crumcast is narcking
> me out.

Probably. They do have to send packets from your IP to his IP and get
the responses back to you.

Received on Thu Oct 10 2013 - 06:14:15 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 10 2013 - 12:00:05 MDT