Hi, On Fri, May 23, 2008 at 9:27 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > > request_header_access X-Forwarded-For deny all > > Note mixed-case HTTP name, not the PHP internal variable name. > The problem is, I do want "X-Forwarded-For", if it is added by my squid, but not client. Since I can trust my squid but not my client. If setting the "request_header_access X-Forwarded-For deny all", my PHP even cannot get the "unknown" value even if I am using "forwarded_for on" Btw, If I use Firefox Modify Header to add my custom "X_FORWARDED_FOR" (note the case), my PHP can still get the "HTTP_X_FORWARDED_FOR" header, maybe this is a potential security hole? Howard