Re: About two HTTP headers

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 11 Mar 2004 09:40:54 +0100 (CET)

On Thu, 11 Mar 2004, Zhao wrote:

> When I surf the Internet through squid, the squid can add two headers
> HTTP_X_FORWARDED_FOR and HTTP_VIA to forward clients' request. It can be
> proven by http://www.schroepl.net/cgi-bin/http_trace.pl. There is a
> problem to violate person/corporation's privacy, I think. One hacker can
> infer the net topology behind squid from these two headers.

Both X-Forwarded-For and Via can easily be removed using the anonymization
features of Squid. See http_header_access directive.

> However, there is a squid.conf directive 'forwarded_for on/off' to
> process the former header, though it is default 'on' to enable it and
> 'off' for 'unknown' according the source code src/http.c.

Please note that setting forwarded_for off etc does not guarantee there
won't be information leakage via this headers. It only prevents this Squid
instance from adding information to the headers. If secondary proxies have
added such headers then the information added by the secondary proxies is
still forwarded.

If you do not want these headers sent you should use the anonymisation
features to have the headers completely removed from the requests.

> Is there a new squid.conf directive to enable/disable the HTTP_VIA
> header?

There is in squid-3, working pretty much in the same manner as
the forwarded_for directive.

Regards
Henrik
Received on Thu Mar 11 2004 - 01:40:57 MST

This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:04 MST