Squid security/privacy risk: Exposure of internal LAN IPs and hostname

The standard configuration of the squid proxy leaks internal LAN IP-adresses and the (possibly internal) host name of the squid proxy, which poses a security and privacy risk.

You can check with:

I suggest to add the following to the squid options

# 91optionsDisableLanIPAndHostname-Leakage
request_header_access X-Forwarded-For deny all
request_header_access Via deny all

I like the idea but I’m not expert enough to say if it could cause possible regressions. IMO it should be safe, but I would like to involve also @filippo_carletti and @davide_marini on this.

Is forwarded_for delete enough?
Should we add an option called something like “Enable privacy”?


forwarded_delete also suppresses the X-Forwarded-For header but not the Via-Header. I think the headers should be the same whether the proxy is on or not. Also the VIA header exposes the LAN internal name of the proxy (depending on the configuration).


Exposing internal IP adresses pose NO security risk!

Most Internal Networks use a network out of the three ranges:

  • 10.x.x.x
  • 192.168.x.x

as specified since over 20 years in the RFCs…

This means that almost any internal Ip is used thousands over.
Also it means that these IPs are NEVER accessible from the Internet, as any Provider, Device or whatever on the Internet “should” discard ANY such traffic.

The same goes for any internal hostname - it’s only of value to an attacker if he’s already inside!
And that usually is via a compromised PC, and I’ve NEVER seen a compromised Linux Desktop or Mac in 35 years! It’s always been Windows… (What else… )

Nevertheless, as someone who’s being building squid proxys for 20+ years, I’d quite agree in at least supressing the X-Forwarded-For header! There are more, but I’d need to reference my notes.

I also allow the https to 9090 and 980, on some networks also to other specific ports used for administration of specific devices. (eg 5001 for Synology, 8080 for Qnap, both with https/ssl)

My 2 cents

1 Like

Yes, it does pose a risk! Getting information about internal network of a private network is an important step in attacking it. See for example. https://www.forcepoint.com/sites/default/files/resources/files/report-attacking-internal-network-en_0.pdf

So for security and privacy reasons no internal information of private networks should get out into the internet.

I.e. client IPs AND the Nethserver host should not be spread all over the internet with every web request. Also it the internet traffic should be not different whether you have proxy on or no proxy on. The remote sites should now know, whether you use a proxy or not.

Therefor X-Forwarded-Forand Via should be suppressed. Look at e.g. at the recomendations in the ip check http://ip-check.info.

Another point is whether the proxy should do additional filtering of headerlines. The first privacy and security rule however it, to not add addtional unnecessary headers which reveal internal private information.

Your report just repeats what I’ve said about private networks…

Home Networks, as with provider supplied routers, is almost always as the default gateway/router. Home networks as such also rarely use 10.x.x.x or 172.x.x.x. So even for guessing, there’s only 255 possibilities… With a 8char Password, a 30 year old 486 would take about 60 Minutes for a brute force attack. Current CPUs are quite a bit faster!

It’s really easy to guess the router / default gateway:

In 99% of the cases its 1 at the end, some also use 254…

Defective devices or at least buggy devices, like an old router / wlan boxes also help.
Not updated systems.

But this is bs and has nothing to do with hacking…

4 IPs cover 99.9% of Home Routers…

My 2 cents

99% of the users have not firewall and no nethserver and especially no IPS running. You don’t need an IPS if all the software and computers is 100% bug free. The reality is, there are not.

The report does NOT repeat what you have said about private networks. It explains how private networks can be attacket from the outside by various means in the recent years. And the first step is information gathering about the internal structure.

Look for example at page three (citation):

Attack overview
We will look at examples of how a JavaScript sitting on an external site can attack vulnerable services running on localhost or the internal network, using the victim’s browser as a proxy. As an overview, we will look at the following steps:
1.Reconnaissance circumventing SOP: finding out private IP address of victim, finding internal hosts, finding open ports, finding out what services run on the open ports.
2.Edge case of actually surfing the internal networkfrom the outside, using the victim’s browser as a proxy, all while SOPis in effect.
3.Compromising a fingerprinted service running on localhost, giving the attacker persistent access to the victim’s computer.<

And this is only one form of attack.

Anyway: It is a general security and privacy rule (not only in computers but also in economy private life) to not unnessearly reveal internal, private information to the public, because it makes you attackably by various means.

Nethserver, having various security items like firewall, Threa shield, IPS Suricata and so on, should adhere to the simple rule not to expose the internal network configuration to everyone.

Need to know is always rule one in security.
That’s true!

99% no firewall? Most provider’s internet box, even if only NAT, is already a firewall! Win10 comes with a firewall… I’d say maybe 50% globally, less in Europe and America without any firewall.
Even Android and IOs have built in firewalls…

My 2 cents

Ok, and the general public does NOT “need to know”:

  1. Whether you use a proxy or not
  2. The internal private client IPs and how many computers are in your private network
  3. Internal hostnames of your private network.

Therefore NS should NOT add Via and X-Forwarded-For headers in the proxy.

Yes, I agree, a basic firewall is used by most people. I meant a more spophisticated firewall like Nethserver.

A NAT simple firewall poses mostly less risks than an advanced firewall like NethServer includes.

Wise guys like opening up ports for gaming, acessing RDP home PC… These half baked knowhow poses usually more risks than a simple NAT, which does not allow ANY access from outside.

People going to dubious websites, or remote controlled Bot-Net PCs is another story, but that’s almost exclusive windows - like i’ve said, i’ve NEVER seen a compromised Linux or Mac in 35+ years - but thousands of PCs…

My 2 cents

*Dubious Websites:
Despite several friends nudging, I’ll NEVER use WhatsApp, or Facebook or Instagramm. Anything owned or run by Zucki… Talk about “dubious”… With his track record on leaking or selling data… :slight_smile:

Ok, you might be right, but does anything of your arguments speaks against preventing Nethserver to expose internal information and against implementing my change as a default? Why do you find it better to keep NS speading this internal, at least privacy opposing information to the public?

And if you don’t trust Facebook, Whatsapp and so on because of privacy reaons: Why are you against my privacy (and security) enhancing change?


Don’t get me wrong: I did aprove your hints like Reverse Proxy and a few other stuff…

Like I say: “Need to know” should be the top maxime. If a web site works without knowing if I’m using a Proxy at home or not, great! If it makes a fuss - than it’s already suspiscious… (Collecting too many ad data…)