I am working on a rest api.
That api is used by my website and the website is used by various users. I want to restrict the api access only to my website ( no other website should be able to access that rest api ) so for that I want to whitelist my domain name on the basis of the ip of the domain name
My goal is to find the ip of domain name requesting my ip not the ip of the users accessing my domain.
How can I achieve it in nodejs?
See Getting HTTP headers with node.js
You should be able to use the referer data in the header to check where the request is coming from.
From your API's viewpoint the IP of the request won't really be different from a server vs. a client. Although, other than some HTTP header variables.
You could simply check all the IPs of incoming requests for your "secured" endpoint and check it against a whitelist of all your server IPs.
Personally, I'd probably use ssl between servers.
Related
I am creating a project for school, and I need to create a backend in spring boot and a frontend in vanilla JS +HTML+ CSS. Since both are on localhost but on different Origins namely on port 8080/5500 respectively ,I am having some issues with CORS in that my cookies are not saved in the browser so no session is created between backend and frontend. This leads to the problem that after login in I will not be able to access securised endpoints because it will require me to log in again since no session is established.
What solution do I have for making this work / saving the cookies?
Further I will give several details and images about the issue that I have.
The backend uses MySQL, spring boot and RestControllers. It basically is a simple CRUD that I also added spring security to. Now this is how my Spring Config looks like
and this is how my CORS config looks like
and this is how my fetch request looks like in the frontend.
Also the request to /save
The flow is as follows : I make a request to /login, than I should be able to use the /save endpoint. This works flawlessly on postman since accessing /save works only after /login was successfully otherwise I get unauthorized, but it does not work in the browser because the cookie that is send with the first response is not saved as below. In the following image the response provides the JSESSION cookie after successfully authentication.
But then when I check cookies section, the cookie is not there.
And when I make a request to the /save endpoint I get the following issue
I also tried the answer over here How to set cookie domain and path with Spring boot but cookies are still not saved.
The browser refuses to allow a URL whose host is [::1] to set a cookie with a Domain attribute of 127.0.0.1. Why? Simply because, even though [::1] is the IPv6 equivalent of 127.0.0.1, the latter doesn't domain-match the former.
Anyway, why would you want to set a cookie with an IP address for the Domain attribute? You seem to be misunderstanding the purpose of that attribute; read what the MDN Web Docs page entitled Using HTTP Cookies has to say about it:
The Domain attribute specifies which hosts can receive a cookie. If unspecified, the attribute defaults to the same host that set the cookie, excluding subdomains. If Domain is specified, then subdomains are always included. Therefore, specifying Domain is less restrictive than omitting it. However, it can be helpful when subdomains need to share information about a user.
In your case, the host of the URL that sets the cookie is an IP address and not a domain. Therefore, specifying a Domain attribute for that cookie is pointless, simply because an IP address doesn't have subdomains.
For example i send a request to https://www.w3schools.com/ which is showed Remote Address: 192.229.179.87:443 on Inspect tools, can i get that ip in js?
An IP address or Internet Protocol is used in hand with TCP(Transmission control protocol) to identify and share information between computers on the internet. Because it would be a very hard job for humans to keep IP's of various servers in the head, all IP addresses are saved on a DNS server together with their domain names. Hence, whenever you make a request to a site in your web browser, the web browser first visits a DNS server to fetch the IP address corresponding to your domain before making a direct request to the server. Hence there is no Javascript code or command to generate IP addresses from domain names. Hence to accomplish this, you'll have to use an API which will do all the hard work for you.
Check this question for some API's : API's for getting IP
I am looking to use a JSON API that requires that I enter a set of specific IP addresses to allow access to in order to obtain an API key. However, I use a web host that uses a CDN (It should also be noted that I cannot modify any server-side code), so I cannot get a static IP address for my website's server. Is there any way for me to get around this? Is there a way for me make the GET requests to the API through a server with a static IP address that will then relay the request response to the client?
You can setup an reverse proxy on a server with static IP for that (e.g use NGINX). You can easily find some examples on Google like this
The "server with a static IP address" you need is named a reverse-proxy server.
You can install such a server on any cloud Linux or Windows instance: just install Apache according to the following documentation: https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
For an Angular 1 app I am working on, cookie authentication is used. The problem is: when making OPTIONS calls, cookies are not sent and the server tries to redirect user to login again. Just wondering, whose "fault" is it? Server (Azure API Apps) or frontend? If frontend, how do I send cookies on OPTIONS call? I am using augular-resource and have configured it as below:
$httpProvider.defaults.withCredentials = true
The specification says:
Otherwise, make a preflight request. Fetch the request URL from origin source origin using referrer source as override referrer source with the manual redirect flag and the block cookies flag set, using the method OPTIONS, and with the following additional constraints … Exclude user credentials.
and also
The term user credentials for the purposes of this specification means cookies, HTTP authentication, and client-side SSL certificates that would be sent based on the user agent's previous interactions with the origin. Specifically it does not refer to proxy authentication or the Origin header.
So the client should not send cookies, and the server should be able to respond to the preflight request without requiring authentication to take place first.
I have a webapp that uses a lot of images which are cached through CloudFront. Some users complain that the load time is excruciatingly slow, So I want to build a diagnostic page on the site that will do a speed test by loading a few images and reporting the time. I also want to report the users IP address (which I can easily get from php when they load the page), but I also want to show the IP address that they are getting for the cloudfront server.
I know that if I run:
dig subdomain.cloudfront.net
I get several IP addresses. If an app (browser, QT app, mobile app) is running simultaneous connections to subdomain.cloudfront.net, does it always use the first IP first and use the others only if it fails?
And is there any way from within the browser that I can get these IP addresses as they are from the client users system? It's my understanding that they will get a different list of IPs based on their IP address.
If this is not possible from within the browser, is there any type of request that I could send to the cloudfront server that would include it's IP address in the response?
does it always use the first IP first
Most modern DNS resolvers and authoritative servers will randomise the order of the IP addresses -- more precisely, the set of A records for a given domain name.
So, "first IP" really isn't deterministic at all.
and use the others only if it fails?
Obviously this is very browser-dependent. Most modern browsers do handle it by retrying the other IPs. I wouldn't count on it though.
is there any way from within the browser that I can get these IP addresses as they are from the client users system?
From Chrome devtools network panel, you can see the address that the browser connected to in the "Remote Address" field of a request. However, I'm not aware of any way to access that from Javascript on a page.
It's my understanding that they will get a different list of IPs based on their IP address.
Yes.
is there any type of request that I could send to the cloudfront server that would include it's IP address in the response?
Not that I know of. However, you might be able to reverse engineer the Via or X-Amz-Cf-Id response header? At a cursory glance, both are unintelligible to me after hex or base64 decoding.
That said, there is a trick that you might be able to use, i.e. that you could setup a URL prefix in your distribution that forwards the requests to your server running PHP. You then point your users to a URL that would result in a request that gets forwarded to your PHP script. In your PHP script, examine the X-Forwarded-For header, which should include a Cloudfront IP.