I was faced with a difficult configuration issue a few days ago with
another companys web service. In short, their web service requires the
user to login on their page before their service can be used through
another application. During the login phase the remote server tries to
determine the visitors ip-address and after that only allows the use of
the external application from that ip-address.
As most of us well know, there really is no reliable way to get the
visitors ip-address through php or other server-side scripting.
Troubleshooting my connection issues I found out that our ISP is using a
completely transparent proxy in between. It does not add extra headers
to its requests, so the webserver has no idea it is actually fetching
the proxys ip-address instead of mine.
Quite often proxies add the real ip-address in the request headers
($_SERVER["HTTP_X_FORWARDED_FOR"]), but my ISP's transparent proxy does
not do this. Obviously the service was unusable, and I know that there
would be other ways for the company to deal with the identification. I
Finally got around the issue after using some ugly workarounds.
(the "livehttpheaders" mozilla extension allows me to manually add
request headers to single page requests, although it is pretty much work
and has to be done manually for each request. My ISP's proxy seems to
pass these extra headers through untouched, so I was able to manually
define http_x_forwarded_for as my ip and got it all working, although
now this needs to be done with every login).
While investigating the problem I came to face 2 questions that I would
like answers to.
1) Despite the completely transparent proxy, I found 2 pages in the
internet that _did_ report my real IP-address despite of the proxy in
between. These were www.whatismyip.com and checkip.dyndns.org. Any and
all other such pages always returned my proxys ip-address instead. I
suspect that the two working sites use some much more sophisticated
technique to finding out my ip-address that just server variables or
headers, but I am unsure what that is (Some kind of routing analysis
perhaps?). So _how on earth do www.whatismyip.com or checkip.dyndns.org
find out the real ip-address instead of the completely invisible proxy
in between_ ?
2) In the future, to make analysing similar problems easier, or to just
add depth to the experiments with web services, it would help a lot to
have an easier way to set request headers. Are there any other
extensions/plugins/software to edit my request headers that the mozilla
livehttpheaders? It would be good if I could permanently set some
request headers that would always be applied to my requests, or applied
site-specificly.
Thanks in advance.
--
Suni