From 94ce10fccc1da882cc6766d74727df63a12b5746 Mon Sep 17 00:00:00 2001
From: Timothy Miller <github@itstmillertime.com>
Date: Wed, 18 Mar 2026 18:19:55 -0400
Subject: [PATCH] Only set Host header for literal-IP trace URLs

The fallback hostname-based URL and custom URLs resolve correctly
without a Host override, so restrict the header to the cases that
need it (direct IP connections to 1.1.1.1 / [2606:4700:4700::1111]).
---
 src/provider.rs | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/src/provider.rs b/src/provider.rs
index d4925af..0ca705f 100644
--- a/src/provider.rs
+++ b/src/provider.rs
@@ -164,14 +164,17 @@ pub fn parse_trace_ip(body: &str) -> Option<String> {
     None
 }
 
-async fn fetch_trace_ip(client: &Client, url: &str, timeout: Duration) -> Option<IpAddr> {
-    let resp = client
-        .get(url)
-        .header("Host", "one.one.one.one")
-        .timeout(timeout)
-        .send()
-        .await
-        .ok()?;
+async fn fetch_trace_ip(
+    client: &Client,
+    url: &str,
+    timeout: Duration,
+    host_override: Option<&str>,
+) -> Option<IpAddr> {
+    let mut req = client.get(url).timeout(timeout);
+    if let Some(host) = host_override {
+        req = req.header("Host", host);
+    }
+    let resp = req.send().await.ok()?;
     let body = resp.text().await.ok()?;
     let ip_str = parse_trace_ip(&body)?;
     ip_str.parse::<IpAddr>().ok()
@@ -203,7 +206,7 @@ async fn detect_cloudflare_trace(
     let client = build_split_client(ip_type, timeout);
 
     if let Some(url) = custom_url {
-        if let Some(ip) = fetch_trace_ip(&client, url, timeout).await {
+        if let Some(ip) = fetch_trace_ip(&client, url, timeout, None).await {
             if validate_detected_ip(&ip, ip_type, ppfmt) {
                 return vec![ip];
             }
@@ -221,7 +224,7 @@ async fn detect_cloudflare_trace(
     };
 
     // Try primary (literal IP — guarantees correct address family)
-    if let Some(ip) = fetch_trace_ip(&client, primary, timeout).await {
+    if let Some(ip) = fetch_trace_ip(&client, primary, timeout, Some("one.one.one.one")).await {
         if validate_detected_ip(&ip, ip_type, ppfmt) {
             return vec![ip];
         }
@@ -232,7 +235,7 @@ async fn detect_cloudflare_trace(
     );
 
     // Try fallback (hostname-based — works when literal IPs are intercepted by WARP/Zero Trust)
-    if let Some(ip) = fetch_trace_ip(&client, CF_TRACE_FALLBACK, timeout).await {
+    if let Some(ip) = fetch_trace_ip(&client, CF_TRACE_FALLBACK, timeout, None).await {
         if validate_detected_ip(&ip, ip_type, ppfmt) {
             return vec![ip];
         }