Thanks Amos! I confirmed that adding the config option "forwarded_for off" does fix espn3. Can you please give me a little more detail of the risk posed by turning it off? If it was just espn3 I would try to get them to fix it but I wonder how many other sites have this same issue. Thanks! Eric On Tue, Nov 30, 2010 at 1:33 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 30/11/10 20:33, Eric Vance wrote: >> >> I have also had this issue. I was able to get the headers both going >> through squid and not. I noticed a few key differences (but skip to >> the end because I found the offending difference). >> >> Request Header without Squid: >> >> >> ************************************************************************************** >> GET >> http://broadband.espn.go.com/espn3/auth/userData?format=json&page=index >> HTTP/1.1 >> Host: broadband.espn.go.com >> Connection: keep-alive >> Referer: http://espn.go.com/espn3/index >> Accept: */* >> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) >> AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 >> Accept-Encoding: gzip,deflate,sdch >> Accept-Language: en-US,en;q=0.8 >> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 >> Cookie: SWID=C2085447-B5B5-4B68-9A02-97B9BEB8AC0C; userAB=C; >> ESPN360beta=betaSet; >> >> DE2=KioqOyoqKjtyZXNlcnZlZDticm9hZGJhbmQ7NTs0OzQ7MDswMDAuMDAwOzAwMDAuMDAwOzk5OTs1MzgzOzM0MDM7MDsqKjs=; >> CRBLM=CBLM-001:; DS=PzswOz87; CRBLM_LAST_UPDATE=1291054796; >> s_vi=[CS]v1|2679F7630516263D-60000198C0083F11[CE]; >> espnAffiliate=invalid; >> >> >> s_pers=%20s_c24%3D1291061231070%7C1385669231070%3B%20s_c24_s%3DLess%2520than%25201%2520day%7C1291063031070%3B%20s_gpv_pn%3Despn3%253Ainvalid%253Aindex%7C1291063031109%3B >> >> *************************************************************************************** >> >> Request header after Squid: >> >> >> *************************************************************************************** >> GET /espn3/auth/userData?format=json&page=index >> HTTP/1.0 >> Host: broadband.espn.go.com >> Referer: http://espn.go.com/espn3/index >> Accept: */* >> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) >> AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.5 >> 17.44 Safari/534.7 >> Accept-Encoding: identity >> Accept-Language: en-US,en;q=0.8 >> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 >> Cookie: SWID=C2085447-B5B5-4B68-9A02-97B9BEB8AC0C; userAB=C; >> ESPN360beta=betaSet; >> >> DE2=KioqOyoqKjtyZXNlcnZlZDticm9hZGJhbmQ7NTs0OzQ7MDswMDAuMDAwOzAwMDAuMDAwOzk5OTs1MzgzOzM0MDM7MDsqKjs=; >> CRBLM=CBLM-001:; DS=PzswOz87; CRBLM_LAST_UPDATE=1291054796; >> s_vi=[CS]v1|2679F7630516263D-60000198C0083F11[CE]; >> espnAffiliate=invalid; >> broadbandAccess=espn3-false%2Cnetworks-false; >> >> s_pers=%20s_c24%3D1291092114183%7C1385700114183%3B%20s_c24_s%3DLess%2520than%25201%2520day%7C1291093914183%3B%20s_gpv_pn%3Despn3%253Ainvalid%253Aindex%7C1291093914212%3B; >> lang=en; >> s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D16%3B; >> PREF=f2=8000000; >> Via: 1.0 ph:3128 (squid/2.7.STABLE9) >> X-Forwarded-For: 127.0.0.1 >> Cache-Control: max-age=259200 >> Connection: keep-alive >> >> *************************************************************************************** >> >> I manually issued this request changing one thing at a time until I >> found the breaking item. When I removed this line from the Squid >> version the response came back without the redirect (and I assume >> would then work correctly): >> >> X-Forwarded-For: 127.0.0.1 > > > D**m, suspected as much when that IP came back in your broken reply > javascript. > >> >> So, I guess the questions are: >> 1. Is this line necessary? > > Yes and no. > Yes, ... because XFF is important for tracking network bugs down and > informing the origin client IP. As you noticed this is one site which uses > it to produce per-user content display. > > No, because 127.0.0.1 is a useless thing to be sending in there as the first > entry. It is an artifact of the way your particular requests went to Squid. > >> 2. Can it safely be removed? > > Yes. If you are willing as the squid admin to shoulder all the blame for any > attacks made through your proxy. > >> 3. How can it be removed? > > In 2.7 configure: forwarded_for off. > > There is something else you can do now that you know what and where the > problem is. You can pass this same report on to the webmaster of that site. > They are trusting the XFF trail too much. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.9 > Beta testers wanted for 3.2.0.3 >