Re: [squid-users] x-forwarded-for Fail

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 11 Oct 2013 13:19:58 +1300

On 11/10/2013 2:44 a.m., merc1984_at_f-m.fm wrote:
>> HTML is a different story entirely from HTTP.
>> Manipuation of HTTP headers on every relay point they cross is mandatory.
> Why?
>
>>>> One interesting case here is that if you add X-Forwarded-For on your
>>>> requests, does that value show up at his end?
>>> I did try setting it to 127.0.0.1, but it didn't fool him.
>>>
>>> Interestingly I run NoScript and have all scripting turned off for his
>>> site, yet he still comes up with my IP. Hm, maybe Crumcast is narcking
>>> me out.
>> Probably. They do have to send packets from your IP to his IP and get
>> the responses back to you.
> In order to get back to me my IP is in the packet headers. No need for
> them to be in http headers.
>
> That's why you can (ostensibly) turn off x-forwarded-for in squid.conf.

Ah, but his site is running a script. The internal design of web servers
often includes mapping TCP level details alongside HTTP headers so they
can be sent over the very different connection between the server
process and the script process. Good example is PHP's
$_SERVER['REMOTE_ADDR'] which lists the IP of the web server receiving
the traffic. The rest of that array is the HTTP headrs and other
environment details.
  That is pretty much what X-Forwarded-For is too - just a passing of
end-users _public_ TCP connection IP (only the IP) through a hierarchy
to the backend when the original TCP connection is nowhere near that
backend software.

Amos
Received on Fri Oct 11 2013 - 00:20:07 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 11 2013 - 12:00:04 MDT