←back to thread

A New Future for Icanhazip

(major.io)
980 points nkcmr | 10 comments | 06 Jun 21 19:21 UTC | HN request time: 1.42s | source | bottom
1. ColdHeat ◴[06 Jun 21 20:06 UTC] No.27415866[source]
I used to use this site until I found https://checkip.amazonaws.com/. Switched because I wasn't sure who was behind icanhazip.com and it's tough to beat AWS. Glad to hear that it will likely be maintained for awhile longer!
replies(2): >>27415952 #>>27416424 #
2. madars ◴[06 Jun 21 20:18 UTC] No.27415952[source]
Something to be aware of: checkip.amazonaws.com will happily return an X-Forwarded-For address https://stackoverflow.com/questions/52618096/under-what-circ...
replies(1): >>27416056 #
3. kortilla ◴[06 Jun 21 20:32 UTC] No.27416056[source]
Use https
replies(1): >>27416225 #
4. lucb1e ◴[06 Jun 21 20:52 UTC] No.27416225{3}[source]
That has nothing to do with an HTTP header. See for yourself:

    $ curl -HX-Forwarded-For:127.0.0.1 https://checkip.amazonaws.com
    127.0.0.1
replies(3): >>27416246 #>>27416267 #>>27481936 #
5. gruez ◴[06 Jun 21 20:56 UTC] No.27416246{4}[source]
I think the point is to prevent middleboxes (eg. caching proxy servers) from interfering with the request. Otherwise I don't really see the issue with the ip address being affected by X-Forwarded-For. You can just... not specify the header.
6. thewakalix ◴[06 Jun 21 20:59 UTC] No.27416267{4}[source]
HTTPS encrypts headers, thereby preventing other people from adding headers to your request. Typically people are not adding X-Forwarded-For to their own requests.
replies(1): >>27416582 #
7. epse ◴[06 Jun 21 21:18 UTC] No.27416424[source]
Does that one only do IPv4?
replies(1): >>27418164 #
8. lucb1e ◴[06 Jun 21 21:39 UTC] No.27416582{5}[source]
I'm not arguing either point, I just pointed out that headers are independent of whether you use encryption. But now that I'm thinking about it for a sec, you might want to know what the proxy's exit IP is, and if the proxy adds an XFF Header then you just learn your own IP which wasn't what you wanted. If that is what GGGP meant.
9. bombcar ◴[07 Jun 21 01:55 UTC] No.27418164[source]
Seems so. But ipv6 is much more likely that your local address IS your global one though translation still can occur.
10. kortilla ◴[12 Jun 21 05:54 UTC] No.27481936{4}[source]
Headers don’t get injected on you unexpectedly if you encrypt.