Many are reserved, not in use or even advertised.
Yet they are still part of the “all ipv4” address space, so either the percentage is wrong or the use of “all” is a lie here.
Readit Newswutwutwat commented on One person was able to claim 20M IPs lists.nanog.org/archives/... · Posted by u/speckx
wutwutwat commented on What is X-Forwarded-For and when can you trust it? (2024) httptoolkit.com/blog/what... · Posted by u/ayoisaiah
1. Have (and maintain!) a list of addresses you trust to not lie (e.g. your own proxy layers, cloudflare's proxy IP list, akamai, GCP LB, AWS LB, etc…)
2. If the connecting party (real TCP connection remote end) is in the trusted list, then take the rightmost address in XFF and set as remote end.
3. Repeat 2 until you get an address not in the trusted list.
4. That is now the real client IP. Discard anything to the left of it in XFF. (though maybe log it, if you want)
The article seems to forget the step of checking the real TCP connection remote address (from my skimming), which means that if the web server can be accessed directly, and not just through a load balancer that always sets the header, then the article is a security hole.
If you're not coming from a proxy and hitting the app server directly, you'd use the connection info directly. Most servers and languages expose this as a variable called `REMOTE_ADDR`
Deleted Comment
I think it's for the case of if you have a nice house and you have a party and people come over, and they bring people that you don't know over, and something goes missing, they want to be able to see who took it.
> I think it's for the case of if you have a nice house and you have a party and people come over
thought this was going down a P Diddy route there for a second
wutwutwat commented on What is X-Forwarded-For and when can you trust it? (2024) httptoolkit.com/blog/what... · Posted by u/ayoisaiah
I see it as a tradeoff. By dropping the header, one maintains trust, but one loses the ability to geolocate.
Instead of dropping, I maintain a list of trusted proxies, and I remove them from the list instead at the application level. The rightmost or final value is then the client.
> By dropping the header, one maintains trust, but one loses the ability to geolocate.
Not dropping. Dropping what the client sent, and recreating it yourself, with the client connection's ip address. The IP can still be geolocated, as much as an ip address can be...
AS numbers have a very rough mapping to a very wide spot on a map, but they are not at all guaranteed to be accurate or up to date, and applied more so back when we had plenty of ipv4 space left and enormous blocks were held by giant companies.
Nowadays, ipv4 address are much more fragmented, globally, and an ASN might own a ip block that says the ip is in Utah, but it has since been leased out to some VPS provider who attached it to a load balancer running in a datacenter in Germany.
There are better headers (or better yet a combination of headers) that can be used to get the user's location, and their locale (yes, where you live or connect from doesn't at all mean you speak the native language in that region).
wutwutwat commented on What is X-Forwarded-For and when can you trust it? (2024) httptoolkit.com/blog/what... · Posted by u/ayoisaiah
X-Forwarded-For lets us bypass geoblocking ;-)
A properly configured load balancer is going to drop this header if the client sends it, and then set it itself, with the request connection's ip being first, then the proxy ip being second. Every proxy after that should append its own ip to that header, then finally when the request reaches your app server, you should filter out your known proxy ips to be left hopefully with just the ip address of the connection the request was forwarded for, which was not set via any client header, and not able to be spoofed.
I'm sure plenty of lbs/reverse proxies and app servers don't set things, establish trust, or filter the header properly though, because, people, but it is easy to lock down.
Dead Comment
> It's kinda the job of the government to decide such things;
In some countries, maybe. In the US, there were concerted attempts (like the First Amendment to the Constitution) to prevent that from being the government's job, because of the fear that government would use that job to suppress dissent and coerce opinions.
If payment processors are picking up that job, and doing so in a coordinated manner that doesn't allow porn companies to simply say "use these payment rails to do business with us, not those ones," it is not unreasonable to suspect that they are doing so not for their own business interests but as a proxy for powers that the government is denied. Someone should be taking a long look at whether the US-based payment processors are becoming a tool of censorship and, if so, how that censorship is being coordinated. It's not like Visa and Mastercard come up with these things independently and on a whim.
> that government would use that job to suppress dissent and coerce opinions.
Thank baby jebus that this sort of thing never happens. Can you imagine if our government were to, for instance, threaten to deport our own citizens, publicly, for disagreeing with the government. That would be a fucking shit show! Thank you, first amendment!
Deleted Comment
check into tailscale or cloudflare tunnels/argo