On 16/07/2014 4:18 p.m., Lawrence Pingree wrote: > I have found that although RFC's state that you should have VIA and forwarded > for headers, firewalls and intrusion detection devices are now blocking (based > on their configuration of the organization) proxies that are detected using > these headers as the method for detection. > Do you have much in the way of data on that? My finding is that this is almost always bad code. Systems which break internally (crash or hang - resulting in zero sized reply). Fairly consistently do so if they are passed "unknown" or an IPv6 address in the XFF header. Some also fail if they are passed multiple IPv4 or sometimes if the (optional) SP characters are omitted. "unknown", and multiple IPv4 has *aways* been part of the design for X-Forwarded-For. So the only explanation if those fail is bad code handling the header value. Amos
