On 11/10/2013 2:44 a.m., merc1984@xxxxxx wrote:
HTML is a different story entirely from HTTP.
Manipuation of HTTP headers on every relay point they cross is mandatory.
Why?
One interesting case here is that if you add X-Forwarded-For on your
requests, does that value show up at his end?
I did try setting it to 127.0.0.1, but it didn't fool him.
Interestingly I run NoScript and have all scripting turned off for his
site, yet he still comes up with my IP. Hm, maybe Crumcast is narcking
me out.
Probably. They do have to send packets from your IP to his IP and get
the responses back to you.
In order to get back to me my IP is in the packet headers. No need for
them to be in http headers.
That's why you can (ostensibly) turn off x-forwarded-for in squid.conf.
Ah, but his site is running a script. The internal design of web servers
often includes mapping TCP level details alongside HTTP headers so they
can be sent over the very different connection between the server
process and the script process. Good example is PHP's
$_SERVER['REMOTE_ADDR'] which lists the IP of the web server receiving
the traffic. The rest of that array is the HTTP headrs and other
environment details.
That is pretty much what X-Forwarded-For is too - just a passing of
end-users _public_ TCP connection IP (only the IP) through a hierarchy
to the backend when the original TCP connection is nowhere near that
backend software.
Amos
