[squid-users] Does squid generates/adds additional HTTP headers?

Amos Jeffries squid3 at treenet.co.nz
Wed Jul 12 14:13:49 UTC 2017 

On 12/07/17 04:36, Sonya Roy wrote:
> As Alex mentioned its not possible to do with squid. I modified the 
> squid source code to do this a month ago. Its not hard to do, you will 
> only need to modify http.cc and client_side.cc a bit.
> 

What you did and what avi_h is asking about does not match what avi_h 
says they want to happen.


On 12/07/17 07:00, avi_h wrote:
 > make
 > some server(s) think that the
 > request is coming directly from a user agent



Even sending the entire HTTP headers as-is through to the server cannot 
prevent proxy detection if the server is actively trying to detect it. 
Some naive services look only at the headers, others inject code into 
the client to scan the Browsers view of the network environment and send 
that back to the server for comparison of what the server environment 
contains - yelling "proxy" if anything appears different, regardless of 
whether a proxy actually exists.


So as Alex hinted but did not state - what would help is info about the 
specific websites/services one is trying to work around. Narrowing the 
problem down to certain sites, and what behaviour you want to stop them 
having would be a great first step.


FWIW; in my experience most of the real traffic problems are not caused 
by proxy detection at all. That seems to be purely users/admin getting 
thrown off by other equally broken problem-detection websites, or 
blaming the proxy when something else is causing problems.

The real problem is usually servers dying in horrible ways when 
unexpected HTTP headers are given to them - even fully standardized 
headers like Via (RFC 2068, 2616, 7231) with standard values is beyond 
some server scripts ability to parse.

Not many web dev seems to understand that HTTP headers can contain 
arbitrary-length comments. "via off" is not so much preventing the proxy 
causing problems, but preventing clients behind the proxy injecting 
bogus XSS code into the server script through it - by granting any 
attacker more complete anonimity to do other attacks.

(sorry for the rant - I'm just tired of people thinking that hiding 
their proxy actually helps).

Amos

More information about the squid-users mailing list