0

Is it possible to identify a proxy sever (IP & other headers) as the user who originated the request?

Example 1 (Standard use case):

I have a proxy server a.com that proxies all requests to b.com. Traditionally b.com will receive an X-Forwarded-For header that identifies the end user (This is okay, because I want b.com to know the users IP).

Example 2 (Use case in question):

I have a proxy server a.com that proxies all requests to b.com. I don't want b.com to know the requests came through a proxy. I want a.com to identify itself as the originator of the request.

User 127.0.0.1 makes a GET request to a.com and b.com believes that request came directly from 127.0.0.1.

Is example 2 possible?

Eric Uldall
  • 161
  • 2
  • 10

1 Answers1

0

If you are using Squid as your proxy simply edit squid.conf and set 

    forwarded_for = delete

This removes the entire X-Forwarded-for header.

But that does not hide the fact that the IP address from the client will appear as a.com and not the clients IP. The proxy server IP will show up as TCP won't allow faking a source address successfully as the 3-way handshake fails. That said, if you are being NAT'd you will appear as the NAT'd ip.

Hope that helps.

Joe M
  • 291
  • 1
  • 4
  • I don't fully understand the 3-way handshake. If the SYN-ACK is sent to the client ip and the TCP packet was forwarded from that IP initially will the ACK not make it back to the client? – Eric Uldall Jun 04 '18 at 22:03
  • Hey @EricUldall the 3 Way handshake would be from the client to the server. Client -> Syn Server . Server -> SA Client . Client Ack -> Server. With a proxy server the client sends the Syn to the proxy server, proxy server sends back a SA and client replies with A. Then the proxy sends the same thing to the destination web server. If the proxy server spoofed the IP of the client when it sent the first Syn packet the whole client's TCP stack would drop the packet as it did not initiate the connection. A router/FW is designed to do exactly this type of thing, a proxy server is not. – Joe M Jun 05 '18 at 22:36