Intranet login/domain - vb.net

If a user navigates to my webpage how can I programmatically determine they are accessing my page from within the Intranet? (Not interested in NTLM or Windows forms authentication. Need a programmatic method.)

You can read the IP address out of the Http request and then check that address against the range that is the local intranet.

Consider these two snippets for obtaining the client's IP address:
HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"]
or
//this is a wrapper for REMOTE_ADDR:
HttpContext.Current.Request.UserHostAddress
If it falls within 10.x.x.x, or 192.168.x.x, then you know your visit is from the inside.
Otherwise, you could check the URL for a known good server name or alias:
HttpContext.Current.Request.ServerVariables["SERVER_NAME"]

Related

Proxy or API Key redirect for URL

I have a requirement to set up a restriction to a public url/website. Unfortunately I do not have access to this server myself. My question would be if there is an API server I can host on e.g. Azure on which I can create API/URLs (maybe also with time limit) which I can enable and/or disable. These generated URL should simply redirect to the other URL.
See example image.
Many thanks

Authenticate before Hitting External URL

I have a site hosted publicly with quite a complex name (including Guid) lets say Site_1, and I have another site hosted publicly at IIS with user friendly name lets say Site_2. I want to redirect my request coming to Site_2 for specific path to Site_1, without showing the address of Site_1 in URL, instead show the URL for Site_2.
On top of that I want to do an authentication before somebody can hit site Site_1, either via Site_2 or via copy pasting a URL for Site_1.
One of the solution that I have applied and achieved successfully is using NGINX Reverse Proxy and its basic or external authentication.
I am looking for example for doing same in IIS or any other platform, or any coding that needs to be done at Site_2.

How to allow the application visible only through some IP?

I'm developing a Windows application, using Eclipse, Tomcat server and Struts2.
I am using LDAP verification to log in.
I only want to allow specific people to view my application, i.e person with IP 173.12.12.12 can view it, while 173.12.12.72 should not.
How should i do this?
Also if someone enters an ID which is disabled, the application should not work on his terminal anymore. How should i do this?
If you want to handle your IP address Whitelist within your web-application (eg. on a database), you can detect user's IP address server-side by reading the X-Forwarded-For HTTP Header from the Request.
If you want to handle your IP address Whitelist within your application server, (in this case, Tomcat), you must put a RemoteAddrValve in your context.xml (source).
Both this methods work, but both fail at detecting real IPs in case of IP spoofing. It's naive for a malicious user to spoof their own IP address, for example with CURL, or with a Firefox AddOn like anonymoX.
You shouldn't rely on IP address to protect your system. But you can use them to enhance the user experience to your authenticated, trusted users... once they're in, you can assume they're not malicious and start profiling their devices by IP to provide targeted functionalities.
if it is a range of IP, fetch the IP value from a property file and verify against it.
if it is a single value, fetch the value from the database assigned to users and verify against it.

Should I allow viewing my website by entering the IP in url bar

Should I allow viewing my website by entering the IP in url bar? that means that instead of writing site.com in the browser, I write the IP of the website.
Example:
this IP 85.17.159.246 is not accessible if you put it in the browser bar. But the website hosted by it azlyrics.com is available.
Google on the hand allows viewing its website via direct IP, for example if you use 64.233.165.190 in your browser it will show Google's website.
Is it bad to allow that? Is it good? Why?
In the past I've read that it is not a good idea to allow this, but now I really don't know how to search for this, as all the results on Google return with irrlevant pages.
If it is not a good idea, how can I block it? (without blocking the website url, of course)
We do have domain names for a reason, it brings several nice benefits as being able to move your site to a new IP but keeping the same domain name. Also when using domain names you can have multiple websites on a single IP.
It's not bad. But an IP can only "host" one site. This works for Google, since they'd only be serving up google.com content anyways. But consider a shared server with (say) 50 different sites on it.
When you punch in http://example.com, your browser will hit example.com's IP and include a Host: example.com in the request's HTTP headers. That lets the server identify which of its sites you're requesting.
But if you hit the server's IP directly, there's no Host: header, and now Apache has no idea which of the sites you really want.

Can a public IP address be used as Google OAuth redirect URI?

I'm trying to set a web service that needs the user's Google Latitude info, so I'm using Google OAuth to get the user authorization stuff.
However, when trying to set the redirection URI in the Google APIs Console for a web application client ID I get a message error if I try to set it to 'http://PUBLIC_IP/'.
I need to test it with non local users (thus localhost can't be used), so I would like to know if having a web domain is mandatory in order to use Google's OAuth. If not, how can I solve this issue?
This is not currently supported. I filed a feature request and will update on progress.
Update: Essential app verification activities have continued to make support of IP address-based apps unlikely. These verification activities are necessary to provide protections against abuse of user accounts. In addition, the cost of setting up dedicated domains has been reduced significantly since this feature was requested. Please read other responses here about possible options.
You can use xip.io to work around it.
For example: '192.168.0.50.xip.io:3000' will resolve to '192.168.0.50:3000'
I ran into this issue too and so I entered a URL with a .com extension and also entered it into my /etc/hosts file. Works like a charm.
It totally sucks that my entire app now has to be developed on an apparently 'live' domain though.
I used my public hostname. It helps if you have a static IP address. I used http://www.displaymyhostname.com/ to get my hostname. I plugged it straight into the Authorized JavaScript origins field when I created a new Web Application Client ID.
P.S. My hostname looked something like this: 111.111.111.111.static.exetel.com.au
You can use a dynamic DNS. I used ddns.net which offers a free solution. Basically, you enter your FQDN as this: yourcompany.ddns.net as your domain. When looked up for an IP address, the .net domain points to ddns; when ddns.net is looked up, it looks up in its database for your company, returns the IP. So mine looks like this: https://wigwam.ddns.net and everything works fine. You don't need to buy a domain, you can substitute your known IP, and Google is happy with that.
Your IP must be static, of course.
Yes, as of now you still need to have a domain name to use Google OAuth in your application. If you have a static public IP and don't want to buy a domain name, you could use a free subdomain from FreeDNS to link to your public IP. Seemed to work well enough for me with a Django app.
Echoing what Breno said in response to his earlier comment:
Apologies for the lack of updates here. Essential app verification activities have continued to make support of IP address-based apps unlikely. These verification activities are necessary to provide protections against abuse of user accounts. In addition, the cost of setting up dedicated domains has been reduced significantly since this feature was requested. Please read other responses here about possible options.
You can read more about Google's app verification requirements [1] and Google's policies requiring secure handling of data [2].
[1] https://support.google.com/cloud/answer/9110914?hl=en
[2] https://developers.google.com/identity/protocols/oauth2/policies#secure-response-handling.
xip.io is not working anymore as an alternative you can use nip.io the same way for example:
10.0.0.1.nip.io:8000 will resolve to 10.0.0.1:8000
It seems like xip.io is down, but there are alternatives such as sslip.io and nip.io. However, I couldn't get either of these to work.
I ended up hosting the main file server on the main machine, and ran said server on a 192.168.1.xx IP address. I then ran servers on each of the test machines (including a second server on the main machine), all of which were on the localhost address. Any requests that the localhost servers received were then passed off to the 192.168.1.xx server, which allowed testing on all of the devices.
This should also work with public facing IP addresses.