In order to debug issues and conduct stability and performance testing, we need an ability to simulate a "zero hit" - a page view by a client from one of our Zero partner networks (or a non-existent test partner). This is a fairly complex issue, as it involves both Varnish layer and the php backend to work together.

Background

For each request, Varnish parses Client IP and the X-Forwarded-For (XFF) header to determines Zero partner ID (X-CS) and, optionally, the proxy (e.g. Opera Mini). Yet, Varnish does not pass the actual ID to the backend unless the request is for the Special:ZeroRatedMobileAccess. For all other mobile Wikipedia requests, Varnish simply sets the X-CS=ON. After the request is done, Varnish adds the partner ID to the X-Analytics header to be logged into hadoop. Because of the design, this system minimizes cache fragmentation, but at the same time makes debugging much more difficult. Even if Varnish would allow an external X-CS header, it would have to be simulated in a different way based on the URL (all for the same pageview)

Questions

#1: Are there any concerns with allowing clients to spoof the X-CS? Assuming we won't add them to X-Analytics to avoid skewing statistics.

#2: Are there any concerns with allowing XFF and IP to be spoofed, e.g. a client setting XFF to a fake value, so that we can test and evaluate a complete front-to-back performance. We could limit this just to GET requests if POST is a concern. We could also indicate spoofing by having an additional "TEST" header, which would also prevent X-Analytics statistics poisoning.