We are using a service that require us to provide an IP in V4 format. Our application which resides on GAE reports (using python's os.environ["REMOTE_ADDR"]) for some users the IP in V6 format. Is there away to convert the IP from V6 to V4 on GAE?
Does GAE support the 6to4 transition mechanism?
Thanks,
Eden
Update:
While there is no way to convert IPv6 to IPv4 there is away to limit the access to the application to only those with IPv4. Which is an acceptable solution in my case.
See: GAE IPv6 hosting
6to4 is a deprecated method to provide IPv6 to networks that only have an IPv4 uplink. I don't think it is relevant to your question.
The very short answer: The whole world is slowly starting to enable IPv6, and Google is one of the companies that is actively working on IPv6 support. You will have to deal with IPv6 support.
A bit longer answer: IPv6 is a different protocol than IPv4. You cannot 'convert' IPv6 addresses to IPv4 addresses. IPv4 addresses and IPv6 addresses are unrelated. If your application cannot deal with IPv6 then your best bet is probably to overwrite os.environ["REMOTE_ADDR"] with a 'fake' IPv4 address when you detect an IPv6 address.
If you choose something that is never supposed to show up on the internet like 192.0.2.0 then you can later easily see which entries are caused by an IPv6 client. You won't be able to identify the client anymore though, as the 128 bits in an IPv6 address can never be put into a fake IPv4 address. You really should adjust your application to deal properly with IPv6 if IP addresses are important to you...
Related
So here's my setup:
IP camera -> Raspberry Pi (Raspbian) -> WiFi -> my server
I am currently using motion to retrieve the camera's stream on my RPi. I am able to view it on the local network (192.168.x.x:8080) through my browser (it's an Mjpeg stream).
I would now like to publish this online so I can view it from http://camera.example.com/ for example.
The difference here is that I would like to do so independently of the WiFi network used (so I cannot simply open a port on my router to accept a connection from the server).
I think this would be possible using WebSockets but I never used them before. Or is there some tool that already exists AND is easy to use ? There are many streaming tools out there, but they all seem to be Windows-GUI programs rather than command line tools.
The choice of language is Python, but if for some reason another language would be more suited that is fine too. Also, I do not need to use motion specifically, so if there is a better alternative that would work too. Thanks !
As a set of minimum steps you will need
A domain name that points to your public IP address
A way of keeping the DNS records for the domain up to date as your IP periodically changes (a free dynamic IP from noip.com will help with the first point, and they have a client you can install which will keep their DNS updated with your current IP)
A port forwarding rule on your router to forward port 8080 (and the stream port for the camera stream, probably 8081 but you can change that in the Motion config) to the internal (192.168.x.x) IP of your Pi
A DHCP reservation in your router to reserve the IP of the Pi (otherwise if the internal IP changes you will need to change the port forwarding rule)
You will now be able to access on the internet via the domain name e.g. http://camera.example.com:8080
BUT...
You have just allowed an insecure http (unencrypted) access into a device on your home network, which could then be exploited (someone could view your cameras, or perhaps gain further access to the Pi and other devices on your network...)
You can enable authentication for the web control gui in Motion config but it’s still being served over http and so easy to hack or to intercept.
So, I would also want to ensure it is all accessible only via https (secure,encrypted).
Items you will need:
an SSL certificate for your domain (available for free from letsencrypt.org)
a web server on the Pi (since Motion doesn’t use any installed webserver but instead has its own inbuilt one) - I’d recommend Nginx or Apache
certbot (to generate/install the certificate on the pi)
configure the web server to be a reverse proxy and serve the http motion website as https using your SSL certificate
secure the website (both apache and nginx support http basic authentication which, if the reverse proxy is configured correctly, will be served over https so encrypted, which is better than unencrypted, base64 encoded (and easily decoded) credential info transmitted in the clear for all to see/intercept).
Other authentication options are available with some extra work but as a bare minimum basic auth and full https are better than nothing.
I've been dabbling in ipyparallel, and I must give props to their team. Got it running on my local network, but the next step eluded my skills.
Can't get ipcontroller and ipengine to converse over a subnet of the Internet built on IPv6 with cjdns. Status update:
- engine hosts are reachable via SSH and SCP, which has been the means
I'm using to copy the JSON configuration file
- automatically-generated JSON files come prepacked with local IPv4 addresses from under 192.168..
- usage of --ip or --url when generating JSON file with ipcontroller didn't fix this
- directly changing local IPv4 addresses to their respective IPv6 counterparts was also a dud
ps: first post here :)
Thank you for reading!
I am using Flask and need to get the user's IP address. This is usually done through request.remote_addr but since this app is hosted at a 3rd party (and using cloudflare) it just returns the localhost.
Flask suggests getting the X-Forwarded-Host but then they immediately say it is a security risk. Is there a safe way to get the client's real ip?
The Problem
The issue here is not that the ProxyFix itself will cause the user to get access to your system, but rather the fact that the ProxyFix will take what was once mostly reliable information and replace it instead with potentially unreliable information.
For starters, when you don't use ProxyFix, the REMOTE_ADDR attribute is most likely retrieved from the source IP address in the TCP packets. While not impossible, the source IP address in TCP packets are tough to spoof. Therefore, if you need a reliable way to retrieve the user's IP address, REMOTE_ADDR is a good way to do it; in most cases, you can rely on it to provide you something that is accurate when you do request.remote_addr.
The problem is, of course, in a reverse-proxy situation the TCP connection is not coming from the end user; instead, the end user makes a TCP connection with the reverse proxy, and the reverse proxy then makes a second TCP connection with your web app. Therefore, the request.remote_addr in your app will have the IP address of the reverse proxy rather than the original user.
A Potential Solution
ProxyFix is supposed to solve this problem so that you can make request.remote_addr have the user's IP address rather than the proxy. It does this by looking at the typical HTTP header that remote proxies (like Apache and Nginx) add into the HTTP header (X-Forwarded-For) and use the user's IP address it finds there. Note that Cloudflare uses a different HTTP Header, so ProxyFix probably won't help you; you'll need to write your own implementation of this middleware to get request.remote_addr to use the original client's IP address. However, in the rest of this answer I will continue to refer to that fix as "ProxyFix".
This solution, however, is problematic. The problem is that while the TCP header is mostly reliable, the HTTP headers are not; if a user can bypass your reverse proxy and send data right to the server, they can put whatever they want in the HTTP header. For example, they can make the IP address in the HTTP header the IP address of someone else! If you use the IP address for authentication, the user can spoof that authentication mechanism. If you store the IP address in your database and then display it in your application to another user in HTML, the user could inject SQL or Javascript into the header, potentially causing SQL injection or XSS vulnerabilities.
So, to summarize; ProxyFix takes a known mostly-safe solution to retrieve the user's IP address from a TCP packet and switches it to using the not-very-safe-by-itself solution of parsing an easily-spoofed HTTP header.
Therefore, the recomendation to use ProxyFix ONLY in reverse proxy situations means just that: don't use this if you accept connections from places that are NOT the proxy. This is often means have the reverse proxy (like Nginx or Apache) handle all your incoming traffic and have your application that actually uses ProxyFix safe behind a firewall.
You should also read this post which explains how ProxyFix was broken in the past (although is now fixed). This will also explains how ProxyFix works, and give you ideas on how to set your num_proxies argument.
A Better Solution
Let's say your user is at point A, they send the request to Cloudflare (B) which eventually sends the request to your final application (point C). Cloudflare will send the IP address of A in the CF-Connecting-IP header.
As explained above, if the user finds the IP address to point C, they could send a specially crafted HTTP request directly to point C which includes any header info they want. ProxyFix will use its logic to determine what the IP address is from the HTTP header, which of course is problematic if you rely on that value for, well, mostly anything.
Therefore, you might want to look at using something like mod_cloudflare, which allows you to do these proxy fixes directly in the Apache mod, but only when the HTTP connection comes from Cloudflare IP addresses (as defined by the TCP IP source). You can also have it only accept connections from Cloudflare. See How do I restore original visitor IP to my server logs for more info on this and help doing this with other servers (like Nginx).
This should give you a start. However, keep in mind that you're still not "safe": you've only shut down one possible attack vector, and that attack vector assumed that the attacker knew the IP address of your actual application. In that case, the malicious user could try to do a TCP attack with a spoofed Cloudflare IP address, although this would be extremely difficult. More likely, if they wanted to cause havoc, they would just DDOS your source server since they've bypassed Cloudflare. So, there are plenty more things to think about in securing, your application. Hopefully this helps you with understanding how to make one part slightly safer.
My problem is to match IP address to its hostname.
If the IP address is a public IP then a simple socket.gethostbyaddr(ip) solves it but
my problem is with private IP i.e. IP of a network.
How can I get host names from a network IP address? Is there a way to find out hostname or not?
I'm trying to do this on Linux.
You've already got the Python code required
socket.gethostbyaddr(ip)
What you need is on the infrastructure side of things. To get an internal hostname, you need to query the internal DNS server for the network in question. Larger networks almost always have internal DNS services but some smaller network don't since they rely on other means (direct IP, NETBIOS, Bonjour, etc.) to find various resources.
TL:DR : You need to query the internal DNS services for the network in question
conn=httlib.HTTPConnection(self.proxy)
Self.proxy has destination ip and port.
I want to do multiple connection from multiple IP addresses to destination
How to specify the source IP while connect request.Please help me out.
Thanks in Advance.
I assume that you have multiple network connections on the same computer (i.e. a wired and wireless connection) and you want to make sure that your connect goes over a specific interface.
In general you cannot do this. How your traffic is sent to a specific ip address, and therefore what source ip address it shows, is determined by your operating system's routing tables. As you haven't specified what operating system this I can't go into more detail.
You may be able to do this using some of the more advanced routing configuration, but that's an operating system level problem and can't be done through Python.
I got the solution but not 100%
Requirement: Has to send request from 10 Ip address to one destination.
Achieved the same through the following API
class httplib.HTTPConnection(host[, port[, strict[, timeout[, source_address]]]])
here, we can mention the last parameter source IP
Like, httlib.HTTPConnection(dest_ip, dest_port, src_ip)
For Example:httlib.HTTPConnection("198.168.1.5",8080,"198.168.1.1")
created the connection under for loop for 10 unique src ip addresses.
Output: Connected to destination with 10 different port number with same IP address. I don't know why it happens like this.
Problem solved. Thanks for all.