omero omero wrote:
Hello Facundo,
I read you message and the replies. I think that the
replies did not solve your problem. I did not open the
links provided, but i read the conclusion which is to
deny Via and X-Forwarded-For (XFF).
The commands I listed will deny the TRANSMISSION of the Via and
X-Forwarded-For headers. Read further for more details.
You do not need to
deny anything. Actually, you need to disable the
transmission of Via and XFF.
That's what header_access deny does.
There is a big difference
between [denying Via and XFF] and [disabling
transmission of Via and XFF]. Denying Via and XFF is
to deny HTTP requests that comes from a client which
has a proxy server installed on it (with Via and XFF
bieng enbaled on that proxy server).
No argument. An acl/http_access combo like...
acl req_header Via Via
acl req_header XFF X-Forwarded-For
http_access deny Via
http_access deny XFF
...would block REQUESTS containing said headers. While there might be a
reason for doing so, that's not what I suggested.
You want to
prevent internet servers from detecting that your are
behind a proxy, therefore you need to disable
transmission of Via and XFF.
To do that, add the following 2 lines to your squid
conf file and don't forget to restart the service
after you save the file:
forwarded_for off
via off
This will perform the same function, but ONLY for the Squid server it is
set on. "header_access deny" removes preexisting headers as well (so if
set on a parent cache, the headers added by the child cache will also be
removed). Further, the original poster did not specify if they were
using Squid 2.5 or 2.6. The via directive is new with 2.6.
header_access would work with both.
BUT WAIT, you said that at your server, you did not
set any proxy and the site you enter is detecting that
you are behind a proxy.
He stated that he is using WCCP
(http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-3a8820922b612e5efaf516ef043ea4c05e2e4799)
to re-direct web traffic to his Squid server. That alleviates the need
to specify the proxy connection in the browser at the cost of breaking
RFCs (as most/all interception setups do).
Adrian's suggestion of looking into TPROXY was to allow the proxy to
spoof the IP address that traffic would appear to source from, further
hiding the fact that a proxy is in use
(http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-5887c3744368f290e63fda47fd1e4715c9bdbc9b).
Actually, this is not related
to the squid proxy server installed on your server.
You get internet from an ISP, and this ISP has a proxy
server on it. Right? Sure. The proxy server of your
ISP will add the Via and XFF. You can't do anything
about it from your side. You might want to use
ANONYMOUS proxy servers that can serve your purpose by
modifying requests after they are in no more
controlled by your ISP. Requests go likes this: You
--> Your ISP --> Anonymous Proxy server --> Target
Site.
Given the assumption you made here, this is entirely correct. You'd
need a proxy outside of your ISP's control that would be capable of
removing the ISP supplied Via and XFF headers.
Regards.
Hope that clears things up.
Chris
