> The second problem is that some of the details are impossible, such as seeing the IP address in the "packet headers".
If the frontend server in Germany is reverse proxying through to the backend server in Iceland, then sure, a user is not going to see the Icelandic server's IP in the source IP field of the packets. But I don't see this as definitive proof of the FBI's assertion being a flat out lie. The IP could easily have been exposed in the packet body.
What happens if you visited the captcha URL with a HTTP/1.0 request without Host header? If the resulting URL generated any self-referential links, what did they use as the hostname? If the Host header is available the norm is to use this, but if not then the script may use the server's FQDN or IP address. If it sent a 301/302 redirect in the HTTP response headers, then that _must_ contain a hostname according to the RFC (it shouldn't be relative), so what was used there? There's nothing in the nginx config that rewrote such response headers.
What happens if you make malformed requests to the captcha URL? Do you get an error page with the IP address embedded, or something that references an object hosted on the IP?
These are just two possibilities, and yes, neither would lead to the IP being exposed in the 'packet headers'. But it's very feasible for it to be exposed in the packet body, so it seems silly to hang the entire argument on the basis that one word is correct, without considering the alternatives.
In both the cases you site would there be a trail of those requests in the server log files? If so they could have been (or will be) pointed to by the prosecution. Since the prosecution has an image of the server they should be able to demonstrate the point if needed. If they can't then I think it casts doubt on their story.
You'll see the requests in nginx's access logs, but it might be very hard to isolate them. These would not show the response data (only the length and the response code).
But you're right, I'd expect that whatever tactic they used, the prosecution should be able to demonstrate in far more depth how the IP leaked.
If the frontend server in Germany is reverse proxying through to the backend server in Iceland, then sure, a user is not going to see the Icelandic server's IP in the source IP field of the packets. But I don't see this as definitive proof of the FBI's assertion being a flat out lie. The IP could easily have been exposed in the packet body.
What happens if you visited the captcha URL with a HTTP/1.0 request without Host header? If the resulting URL generated any self-referential links, what did they use as the hostname? If the Host header is available the norm is to use this, but if not then the script may use the server's FQDN or IP address. If it sent a 301/302 redirect in the HTTP response headers, then that _must_ contain a hostname according to the RFC (it shouldn't be relative), so what was used there? There's nothing in the nginx config that rewrote such response headers.
What happens if you make malformed requests to the captcha URL? Do you get an error page with the IP address embedded, or something that references an object hosted on the IP?
These are just two possibilities, and yes, neither would lead to the IP being exposed in the 'packet headers'. But it's very feasible for it to be exposed in the packet body, so it seems silly to hang the entire argument on the basis that one word is correct, without considering the alternatives.