[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-dev
Subject:    Re: About two HTTP headers
From:       Henrik Nordstrom <hno () squid-cache ! org>
Date:       2004-03-11 8:40:54
Message-ID: Pine.LNX.4.44.0403110935510.13325-100000 () localhost ! localdomain
[Download RAW message or body]

On Thu, 11 Mar 2004, Zhao wrote:

> When I surf the Internet through squid, the squid can add two headers
> HTTP_X_FORWARDED_FOR and HTTP_VIA to forward clients' request. It can be
> proven by http://www.schroepl.net/cgi-bin/http_trace.pl. There is a
> problem to violate person/corporation's privacy, I think. One hacker can
> infer the net topology behind squid from these two headers.

Both X-Forwarded-For and Via can easily be removed using the anonymization 
features of Squid. See http_header_access directive.

> However, there is a squid.conf directive 'forwarded_for on/off' to
> process the former header, though it is default 'on' to enable it and
> 'off' for 'unknown' according the source code src/http.c.

Please note that setting forwarded_for off etc does not guarantee there
won't be information leakage via this headers. It only prevents this Squid
instance from adding information to the headers. If secondary proxies have
added such headers then the information added by the secondary proxies is
still forwarded.

If you do not want these headers sent you should use the anonymisation 
features to have the headers completely removed from the requests.

> Is there a new squid.conf directive to enable/disable the HTTP_VIA
> header?

There is in squid-3, working pretty much in the same manner as 
the forwarded_for directive.

Regards
Henrik


[prev in list] [next in list] [prev in thread] [next in thread]