I have a mini API that is only for an app I have built. The API service is on a separate domain to my app. I make jsonp calls to it and receive json in return.
Therefore I only want my app to be able to access it. Can I just list a series of IP addresses for my app and allow them? Is there a better way to stop requests from anyone else to my API?
The best way to implement IP-based filtering would be at the web-server level. Here's a brief introduction to access control with Apache. If that happens to be your web-server.
If the IP stays the same throughout time, yes this is a valid idea. Another way would be with an id and a key, if you expect further usage from other (dynamic) ip adresses.
What operating system is the API service running on? If it's Linux, look into iptables to only allow a certain IP to access a specific port.
Honestly, I wouldnt go with an IP based solution. While it may work in the short term, it will make things hard in the future. For example, what if your ip provider decides to do a reset? Most likely (unless you have explicitly established the need for static ip with your provider) your ip will change. Then your program will error and you wont know why (or worse, you wont know that a computer is now disconnected). Furthermore, if you want to add machines, think about managing 1000 ips....yikes! The 'right' way of doing this would be to authenticate the machines using some other scheme (user/pass, pki, etc.)
Related
I'm new to WebRTC and I was wondering if it's possible to have webRTC application on a local network without need for signaling since we have the IP addresses of all members on the network and if so how should I use RTCPeerconnectio to create an offer?
Thank you
No it is not possible.
Signalling is for more than just exchanging IP addresses. The clients also exchange information about media types and codecs.
You could possibly do some of the exchange via hard coding. But you would basically need to go through the whole negotiation, logging out all the candidates, offer, and answer. Even then I don't know if it would work the second time (with everything hardcoded). It also wouldn't work if you ever wanted to change media. It would be an interesting experiment.. but probably a huge waste of time.
It can be done! But kradical is right there will need to be some configuration ahead of time check out pion/offline-browser-communication
Here are the things you need to worry about
You don't need to hardcoded IP addresses anymore thanks to mDNS candidates. If you know the hostnames of the two computers they can both change IP addresses, and still be able to connect.
You need to know the DTLS certificate and ICE credentials ahead of time. If you look at the repo I shared you can see how it is done there. I did Go <-> Browser because it is the Open Source project I work on, but can easily be Browser <-> Browser as well.
I would connect with only a DataChannel at first, and then re-negotiate with all the details around media (tracks you wish to send and supported codecs)
Is it somehow possible to tell the browser to choose a specific interface and ignore the Windows routing table?
I have the following problem:
I have a PPP dial-up, where I have to access some https websites, if I make my standard gateway point to this PPP interface, I can access the website.
But I don't want to add a specific route, as I connect to different devices, and all have different IP Addresses, so it is also possible that my local LAN Interface, where I have my internet access, has the same IP Address as the remote https address I need to connect to.
So I think the only way would be to somehow tell the browser to use a specific interface for all the traffic. Is this somehow possible, or possible with VB.net programming?
"Is it somehow possible to tell the browser to choose a specific interface and ignore the Windows routing table?"
No. As an application, the browser relies entirely on the OS's network stack to establish communication.
The point of a network is to allow many-to-many communication. So, if you do it right, you can use a single network adapter to communication with hundreds or even thousands of other nodes at the same time.
You could use a NIC to establish a PPPoE session to the Internet while at the same time communicating with your local network. However, this in turn requires you to connect the modem to the LAN as well which is not a good idea - you should either use two separate NICs or an Internet router.
Newbie programmer here. I'm building an app for an API that requires an IP address for authentication. Basically, users have to send the API management their IPs and then each time a computer makes a request to their server, it verifies whether it's coming from a registered IP.
Since I work in a number of different places and thus end up with different IPs, I thought it would be easiest to use DynDNS to establish a URL that points to whatever my current IP is and then send that URL to the API management. So my first question is if this approach would in fact work?
Secondly, assuming this would work, I set up ben.dynalias.com and downloaded the DynDNS Updater client. It appears to be working: the updater says status: OK and displays my current IP. However, when I navigate to the URL (ben.dynalias.com) there's no response. Should this be the case? How can I tell if it's working?
I don't see any reason it shouldn't work as long as your updaters aren't overwriting each other by running at the same time automatically from different locations.
You can ping ben.dynalias.com and see if your current ip matches.
I just hosted ben.dynalias.com and it gave me your IP.
Since there is no web server running on that IP, then your browser will not be able to show you a page result.
You can use http://www.kloth.net/services/nslookup.php
to check and see if you get the correct IP from a host lookup.
Depending on how often your IP changes this might not be a great solution as the DNS will cache your hostname and will not try and resolve it again until the TTL expires normally minimum 1 hour.
whether the API management accepts a hostname instead of an IP address is a question only they can answer. Some will, many won't as it's "easier" to hijack a domain name than to hijack an ip address.
trying to browse to you-address.dynalias.com that points to your own public address rarely works, even if you opened up the right ports because your router will be highly confused. The best way to test such a setup is by using a phone or tablet with 3g/GPRS internet - of course after you set up port forwarding in the router to point the appropriate port to your computer.
A friend of mine asked me this, and I had not much of an idea about it.
So, here I am asking you:
A custom application that works like a proxy server(not the complete version of it), i.e The app allows you to specify some websites that the users of the network can visit in their client browsers.
I have some idea, that this functionality is inbuilt in a proxy server and we can use Apache as a proxy server, but I don't know how to do it.
Can I develop such an application in Java, Ruby, or .NET, coz that will allow me to use a database to maintain the list of allowed and blocked websites + I can provide an easier UI to add or modify data.
Help me, I am quite confused.
Any proxy server has this functionality. For example using squid, you can set it to default deny any requests and only allow specific sites. However if that's the only goal, you may want to consider denying requests to port 80 and only allow specific IP ranges in your firewall instead.
Both options work though. The firewall option is faster and cannot be bypassed by the browser, but is less dynamic (DNS resolving only happens on rule start/reload) and may allow more sites then intended if one IP hosts more then one site.
You should probably ask your friend what his/her non-technical goals are. Like "I don't want my daughter to surf porn" rather then "I need an app that blocks sites".
i have following scenario and can't seem to find anything on the net, or maybe i am looking for the wrong thing:
i am working on a webbased data storage system. there are different users and different places and only certain users are allowed to access certain parts of the system. now, we do not want them to connect to these parts from at home or with a different computer than they are using at their work-place (there are different reasons for that).
now my question is: if there is a way to have the work-place-pc identify itself to the server in some way over the browser, how can i do that?
oh and yes, it is supposed to be webbased.
i hope i explained it so everyone understands.
thnx for your replies in advance.
... dg
I agree with Lenni... IP address is a possible solution if they are static or the DHCP server consistently assigns the same IP address to the same machine.
Alternatively, you might also consider authentication via "personal certificates" ... that's what they are referred to in Firefox, don't know it that's the standard name or not. (Obviously I haven't worked with these before.)
Basically they are SSL or PKI certificates that are installed on the client (user's) machine that identify that machine as being the machine it says it is -- that is, if the user tries to connect from a machine that doesn't have a certificate or doesn't have a certificate that you allow, you would deny them.
I don't know the issues around this ... it might be relatively easy for the same user to take the certificate off one computer and install it on another one with the correct password (i.e. it authenticates the user), or it might be keyed specifically to that machine somehow (i.e. it authenticates the machine). And a quick google search didn't turn up any obvious "how to" instructions on how it all works, but it might be worth looking into.
---Lawrence
Since you're going web based you can:
Examine the remote host's IP Address (compare it against known internal subnets, etc)
During the authentication process, you can ping the remote IP and take a look at the TTL on the returned packets, if it's too low, then the computer can't be from the local network. (of course this can be broken, but it's just 1 more thing)
If you're doing it over IIS, then you can integrate into SSO (probably the best if you can do it)
If it's supposed to be web-based (and by that I mean that the web server should be able to uniquely identify the user's machine), then you choices are limited: per se, there's nothing you can obtain from the browser's headers or request body that allows you to identify the machine. I suppose this is by design, due to the obvious privacy implications.
There are choices though, none of which pain-free: you could use an ActiveX control, which however only runs on Windows (and not on all browsers I think) and requires elevated privileges. You could think of a Firefox plug-in (obviously Firefox only). At any rate, a plain-vanilla browser will otherwise escape identification.
There are only a few of REAL solutions to this. Here are a couple:
Use domain authentication, and disallow users who are connecting over a VPN.
Use known IP ranges to allow or disallow access.
IP address. Not bombproof security but a start.