Edi Weitz wrote:
Er, if the proxies add to the end of the list (which I didn't take into account), it'd be better to return the first and not the last element of the list, right?
I've made a few tests with open proxies on the net.
Most, if not all, add to the end of the list, instead of replacing it.
Some don't bother to append/replace the list with the client address (I guess they would be called "anonymous") and some even append 127.0.0.1 or other internal addresses at the end, for whatever reason.
In any case, seeing as a X-Forwarded-For header is quite easy to forge, trusting the first element of the list doesn't make much sense.
I guess the only real use would be getting the n-th to the last item, to trim away n known (and trusted) proxies and get to the real client address, as seen by the proxy + lisp image server setup.
Toby