Redactus Proxy Service — Signed Agent Information

Part of the Redactus internet-safety ecosystem (Techloq Internet Filtering Platform)
Last updated: • Page: bot.redactus.co.uk/proxy

Overview

The Redactus Proxy Service is a traffic inspection filtering proxy. End-user web traffic terminates at our proxy, where filtering policies are enforced.

Because traffic exits from our proxy IP addresses, origin servers cannot identify the true end-user IP. To avoid “all-or-nothing” mitigation, we use Cloudflare Signed Agents to provide a unique source identifier with every request.

We preserve the original browser’s User-Agent header. We do not modify or replace it.

Signed Agent policy

All outbound requests are signed following Cloudflare’s Signed Agent policy. This proves that:

  • Traffic is genuinely from the Redactus Proxy Service (not spoofed).
  • Critical headers, including our unique source identifier, are integrity-protected.

We sign with Ed25519. Our public keys are published in our JWKS directory (see below).

Unique source identifier

Each outbound request carries a dedicated, opaque header:

X-Redactus-Source: <unique stable token per source>

This token represents a source of traffic within our network (for example, a user device or session), but does not expose raw IP addresses or personally identifying data.

We always include X-Redactus-Source in Signature-Input, ensuring that it is cryptographically bound to the request. Cloudflare can therefore use this header as a segmentation key: if one source misbehaves, only that source can be mitigated—not the entire proxy service.

Example request headers

GET /path HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)...   # preserved browser UA
X-Redactus-Source: v1:AbCdEf12345...

Signature-Agent: ""
Signature-Input: sig1=("@authority" "@method" "@path" "signature-agent" "x-redactus-source");created=1724590000;expires=1724590060;keyid="KID_THUMBPRINT";alg="ed25519";tag="web-bot-auth"
Signature: sig1=:BASE64URL_SIGNATURE:

Key discovery (JWKS)

Our key directory is published at:

https://bot.redactus.co.uk/proxy/.well-known/http-message-signatures-directory

It contains our Ed25519 public key(s). The kid in signatures matches a key in this set. During rotation, multiple keys may be published temporarily.

Rate limits & etiquette

  • Default rate: ≤ 0.1 req/s per origin; 1 concurrent request per origin.
  • Backoff: Immediate backoff on 429/503 or unusual latency.
  • robots.txt: We respect directives for our UAs.

Data handling

  • We store minimal metadata (timestamps, status, X-Redactus-Source mappings) for reliability and abuse handling.
  • No collection of credentials or gated content.
  • Short retention by default; extended only for abuse/security investigations.

Opt-out / customization

  1. robots.txt for our UAs.
  2. Signature verification policies on your side (allow/deny by Signature-Agent/kid).
  3. Email us: support@redactus.co.uk

Contact

Operations & support: support@redactus.co.uk
Abuse / Security: security@redactus.co.uk
This page: https://bot.redactus.co.uk/proxy