Distorting Proxies

A distorting proxy hides the client’s real address but intentionally inserts a fabricated client IP into forwarding headers. It’s one of the standard proxy anonymity grades; details and header rules are in proxy anonymity levels.

What is a distorting proxy?

 It hides the user IP yet adds a fake client address to X-Forwarded-For and keeps a Via hop marker, so the proxy is obvious even if the user is not.
In a forward-proxy chain, the origin receives two signals: an explicit hop header like Via: 1.1 proxy.example and a non-credible X-Forwarded-For. Any mismatch between XFF and the TCP source, or tokens like unknown, is a strong detection cue.

Distorting vs anonymous vs elite

 Distorting lies about the client IP; anonymous omits it; elite hides the proxy hop entirely.
Quick map:

• Transparent: passes real IP in XFF.
  
• Distorting: fake XFF + Via.
  
• Anonymous: no XFF + Via.
  
• Elite: no XFF and no hop headers.
  

Which headers reveal a distorting proxy?

 Look for Via plus a fabricated or inconsistent X-Forwarded-For or Forwarded.
Example at the origin:

Via: 1.1 gateway-7

X-Forwarded-For: 203.0.113.45     # fabricated, not the TCP peer

Forwarded: for=unknown

Non-IP tokens, RFC1918 space, or RFC5737 examples in XFF typically increase a risk score.

Behavior over HTTP vs HTTPS (CONNECT)

 Over plain HTTP, hop and XFF headers reach the origin; over HTTPS CONNECT they do not, so detection shifts to IP reputation and fingerprints.
For protocol context and CONNECT behavior, see HTTP/HTTPS proxies.

Why use or avoid a distorting proxy?

 It can satisfy internal logging that “requires a client IP,” but it is easy to classify as a proxy and more likely to be rate-limited or blocked.
Pros

• Hides the real client IP from the destination.
  
• Can satisfy systems that expect a populated “client IP” field.
  

Cons

• Via plus fake XFF makes proxy use obvious.
  
• Higher odds of CAPTCHAs, throttling, or blocks.
  
• Misleading XFF can break geo logic or audits.
  

Minimal configurations that show the “distorting” effect

 Disable automatic XFF, then add a static or synthetic client IP while keeping a hop header. Verify with a header echo.

Squid 6 (explicit forward proxy)

# squid.conf

http_port 3128

via on

forwarded_for off

request_header_add X-Forwarded-For "203.0.113.45" all

request_header_add X-Proxy-Chain "distorting" all

Nginx (forward proxy via http)

proxy_set_header Via "1.1 $hostname";

proxy_set_header X-Forwarded-For "unknown";

HAProxy 2.8 (HTTP mode)

frontend fe

  bind :3128

  default_backend be

backend be

  http-request del-header X-Forwarded-For

  http-request add-header X-Forwarded-For unknown

  http-response add-header Via "1.1 haproxy-distorting"

  server s1 0.0.0.0:0

Note: Many stacks auto-generate forwarding headers unless explicitly disabled. Always confirm the actual egress view.

Quick verification

 Over HTTP you should see your fake XFF and a hop header at the origin; over HTTPS CONNECT you will not.

curl -s http://httpbin.org/anything -x http://PROXY:PORT | jq '.headers'

curl -s https://httpbin.org/anything -x http://PROXY:PORT | jq '.headers'

Detection patterns to expect

 Sites combine header consistency checks with IP reputation and fingerprinting to score or block traffic.
Common signals:

• Header consistency: XFF not matching the TCP peer, non-IP tokens, malformed Forwarded.
  
• Hop disclosure: presence and repetition of Via.
  
• Reputation and ASN: ownership, prior abuse reports.
  
• TLS/HTTP fingerprints: JA3/JARM, ALPN, header order, HTTP version quirks.
  
• Behavior: bursts, error ratios, retry cadence, cookie handling.
  

Mitigation tips: keep concurrency predictable, avoid obviously fake tokens, and reserve distorting mode for internal hops. If targeting public sites, prefer anonymous or elite behavior.

When is distorting a good choice?

 Use it for internal infrastructure that consumes XFF as a hint and does not trust it for security. Avoid it for public targets and compliance-sensitive APIs.
If you need concealment without obvious fingerprints, switch to anonymous or elite settings and re-test.

Troubleshooting

 First confirm what the origin receives, then adjust headers or switch modes.

1. Check the origin’s headers. If XFF is not your configured value, your stack rewrote it.
   
2. Inspect upstream hops. CDNs may append their own Via or Forwarded.
   
3. Revisit HTTPS expectations. CONNECT does not expose your injected headers.
   
4. If blocks correlate with unknown, try a syntactically valid non-routable placeholder (RFC5737) or drop XFF entirely.
   

FAQ

What exactly makes a proxy “distorting”?
  Inserting a fabricated client address into XFF or Forwarded while still advertising the proxy hop.
That combination hides the user yet makes proxy use explicit.

Does HTTPS CONNECT hide distorting headers?
  Yes. CONNECT prevents header injection into the end-to-end stream.
Classification then depends on IP reputation, fingerprints, and behavior.

Is unknown in XFF a good idea?
  It is often treated as suspicious.
Prefer a stable internal mapping never exposed publicly, or omit XFF for public targets.

Why do vendors discourage distorting mode?
  It raises block rates and support load.
Anonymous or elite defaults tend to cause fewer issues with CDNs.

Related in this topic

• Transparent Proxies
  
• Anonymous Proxies
  
• Elite Proxies