Research on the possibility of ip spoofing in http protocol

【SunanBlog Introduction]
I did some research on the data of custom http protocol a few days ago. I suggested using a proxy server for ip address forgery, but later I found that, in fact, you can add an option in the http protocol to implementCounterfeit ip addresses. How can this problem be understood? The reasons are as follows :~

I. Method Overview
Add the option "x-forward-for" to the http data header, for example, "x-forward-for: 202.204.76.254". The sent package is a special package, from the perspective of the recipient, this package indicates a packet sent by a proxy server. The actual ip address of this packet is "202.204.76.254". In fact, three handshakes are implemented, however, when sending a package, the recipient mentions a third party.
 
Ii. Trial Scope
If the current website programs have ip address restrictions, they will basically check whether the data is sent by the proxy server. If the data is sent by the proxy server, then, the ip address is recorded as the x-forward-for ip address sent by the (transparent) proxy server.
Take a popular php ip detection code as an example:

function get_ip(){ if(getenv(http_client_ip)) { $gb_ip = getenv(http_client_ip); } elseif(getenv(http_x_forwarded_for)) { $gb_ip = getenv(http_x_forwarded_for); } elseif(getenv(remote_addr)) { $gb_ip = getenv(remote_addr); } else { $gb_ip = $_server[remote_addr]; } return $gb_ip; } 

Then we can see how this ip address is forged.
 
Iii. Countermeasures
Of course, for websites, there are not many counterfeit ip addresses, but if you are in a voting program, of course, you need to check these ip addresses. DetectionHttp_client_ip. It seems that there is no way to forge this ?.............................
 
Iv. Overall views
This method is called a non-counterfeit ip address. It mainly uses most website programs to detect a vulnerability in ip addresses. So if the website program can review its ip detection method, this method will gradually become invalid. Haha.

Update: 080108
Sunan finds that every day someone accesses this blog via a search engine,
It is estimated that everyone is skeptical about its validity after reading it.
Let alone evidence.
It is valid after multiple tests.
Update: 080116
I have implemented the following languages: PHP, CSharp, and C ++.
Others are not tested. Haha. In addition, PHP is very inefficient. Haha.
No matter what language you use, make sure that the counterfeit IP address takes effect.
The following conditions must be guaranteed:
1,The other party (the other side that receives the pseudo IP address) is a web program, and its IP address detection has the problem described above.
2,Disguise x-forward-for in your post or get data packets.
Generally, it will succeed ~