I'm setting up a new web site hosted in Azure and proxied through Cloudflare. I've noticed that Application Insights and Cloudflare are reporting different geolocations for incoming requests. My personal IP address is identified as being in England by App Insights and the US by Cloudflare (Cloudflare is correct). My phone was identified as Sweden by App Insights (again, I'm in the US).
I have disabled IP masking in App Insights and verified that the correct IP address is being logged in the client_ip field.
According to their own documentation Cloudflare uses the MaxMind GeoIP database (source). I haven't found an authoritative answer on what App Insights uses, but I have seen some claims that it also uses MaxMind. I used the MaxMind demo tool to test my own IP address and confirmed that it returns accurate information.
As an experiment, I used a Telemetry Initializer to manually override the recorded IP address to 8.8.8.8 (one of Google's DNS servers). MaxMind shows its location as "Los Angeles, California, United States, North America". App Insights shows "Glenmont, Ohio, United States".
Can anyone explain this discrepancy?
Telemetry initializer:
public class IpAddressTelemetryInitializer : ITelemetryInitializer
{
public void Initialize(ITelemetry telemetry)
{
telemetry.Context.Location.Ip = "8.8.8.8";
}
}
MaxMind results:
Application Insights results:
Azure Monitor uses MaxMind GeoLite2 for IP address lookup (see Azure Monitor FAQ). GeoLite2 is a free version of MaxMind databases and web services so its results can be less accurate than GeoIP2 database. This could be one of the reasons for discrepancies you are seeing.
Another potential reason is the way how proxy IP addresses are handled by Cloudflare and Azure.
Application Insights module collects the client IP address unless the header X-Forwarded-For is set. If there is more than one IP address in the header, the last IP address is used to populate geolocation fields.
Cloudflare uses the header X-Forwarded-For to maintain proxy server and original visitor IP addresses. If there was no existing X-Forwarded-For header in the request sent to Cloudflare, X-Forwarded-For will contain the client IP. Otherwise, Cloudflare appends the IP address of the HTTP proxy to the header and the proxy IP address will be the last in the list.
So it is possible that Azure gets a proxy IP instead of the client IP address.
If you want to make sure that Azure and Cloudflare use the same IP address for geolocation, consider configuring the ClientIpHeaderTelemetryInitializer to take the IP address from a different header, for example CF-Connecting-IP or True-Client-IP headers that are set by Cloudflare (read more about Cloudflare headers here). Here is an example of how it can be configured for Application Insights https://apmtips.com/posts/2016-07-05-client-ip-address/
Please note that even with additional configuration geolocation results may still be slightly different between Azure and Cloudflare because they use different MaxMind products: GeoLite2 and GeoIP2.
Related
I have windows 10.
To get the IP address of some website I type ping somewebsite.com in cmd.
For example if I say ping google.com, cmd shows Pinging google.com [216.58.206.206] with 32 bytes of data: and some lines after that. If I type that IP provided (216.58.206.206), that gets me to Google.
But some websites aren't like this. For example for website codeforces.com I get 213.248.110.126, but this doesn't get me to the website, instead shows some error 404 Not Found .
Why it doesn't work and what is the best method to get IP addresses of websites in Windows 10?
Thanks.
Some websites cannot be accessed by IP only.
Think for example, a public (free or paid) web hosting, with shared IP. If you doesn't provide a domain name (FQDN), then the server doesn't know what page needs to be served.
Think also on some "public" services, like Azure DevOps. They provide you a FQDN over a microsoft domain, but probably each DevOps repository doesn't have their own IP. If you only provides the IP, then the service doesn't know what page are you requesting.
Also, if you enter to an HTTPS page, the certificate are securing the domain name, not IP address. If you try to enter with IP only, your navigator tells you the page are not secure (Try it with Google for example).
I'm planning an API that will be used by a client on their internal office networks in multiple separate locations. Each location will have a separate instance installed.
They want it to be secure and running on HTTPS.
What I cant seem to understand how can a HTTPS certificate work when there is no externally facing fully qualified name. eg. MyApiServer.mycompany.com
Instead they will likely just be running it on a server/computer with just a hostname. ie. MyApiServer
The data being transferred is not necessarily sensitive but it places records in a sales system.
If HTTPS is not possible in this scenario whats an alternative method to secure the communication?
The server name has not to be "fully-qualified". For securing the call it will be enough to have the domain specified in URL equal to the domain name specified in certificate.
So your clients would call https://MyApiServer/endpoint in your LAN which should cause your service to provide server certificate where the subject would be MyApiServer.
I am trying to restrict access to my Google Maps API account by using IP Address to set up Key Restriction. Previously I have been able to set up Key Restriction using the HTTP Referrer, but I do not seem to be able to get the same config happening using IP Addresses. I have generated a new key to use with the IP Addresses (leaving the current using HTTP Referrer in play as it works).
As an example I can access the MAPS API from localhost/* but am unable to access it from 127.0.0.1 (using the new API key with AP Address key restrictions setup). My actual website is hosted on a shared sever and using the domain name (perfectpets.com.au) with the HTTP referrer restriction all is good, but if I use the new API key with IP address restriction I get the RefererNotAllowedMapError error.
Any tips on how to get this going would be greatly appreciated.
IP address restrictions only work for web services, not the Google Maps JavaScript API v3.
From the documentation
Once restricted, a key will only work on platforms that support that type of restriction.
IP addresses (individual servers) - for use with the web service APIs.
HTTP referrers (web sites) - for use with the Web APIs.
In one of my applications (ASP.NET/VB.NET), I need to read the Client Machine Name. Based on the Client Machine we trigger a Point of Sale payment device to accept the payment. On each of these systems we have a stand alone software installed which communicates to the bank using HTTP requests. I am using the following .NET code to read the Client Computer Name.
Dim name As String = String.Empty
Dim hostEntry = Dns.GetHostEntry(HttpContext.Current.Request.UserHostAddress)
If hostEntry.HostName.Contains(".") Then
name = hostEntry.HostName.Substring(0, hostEntry.HostName.IndexOf("."))
Else
name = hostEntry.HostName.Trim
End If
In the development environment, all our systems are in a domain ("xyz.com") and we don't have any issues. In the customer location they don't have a domain name setup. My above logic works well in some of the systems in the client environment and is able to make payments but in most of the systems our logic fails and is not able to read the host name. Any help will be appreciated.
Your question doesn't have the specifics required to answer your question. There are many questions that need to be answered about both environments to give a correct answer. Since I can't ask questions, I will make some assumptions which might apply to future readers of this post and be able to help them out.
I would ask a question but my profile was forked for some unknown reason and I don't have the required reputation to ask a question. That being said I will run through the list of issues I can identify off the bat and suggest solutions for the issue and hopefully one will lead you to a solution.
So...
1) You state you need to read the client machine name. However, if your application isn't running on an internal LAN (aka an intranet) you can't read client machine names period. So this could be your first problem.
2) Combining point 1 and given that you are reading the IP Address from UserHostAddress of the client to look up a DNS host name and when the host look up succeeds you are taking the first part of the name up until the first "." it should be safe to assume that this an intranet application running on a LAN in both your development environment and at the client environment. With that assumption and given the statement that all machines are given an domain of xyz.com it can be assumed that DNS in your development environment is being dynamically updated from presumably through Active Directory (AD). In such case, whenever a client machine on development network requests an IP address, presumably through AD, the DHCP server integrated with AD issues the new IP Address. When it does and the DHCP offer is acknowledged and accepted by the client AD updates DNS (which on a windows network is also AD integrated) by adding a host entry with the computer name of the client machine pointing to the IP Address. Additionally a DNS pointer, depending on configuration, can be added to AD's DNS which allows an IP Address lookup to resolve to the record (which in this case would be the Client's machine name). So with your development environment (presumably running on Windows Active Directory Domain) everything works. Addi tonally, by default the top level domain name (XYZ.COM) gets appended to the clients computer name in initial DNS requests from the client.
3) Your client is not running a domain which leaves further questions. Are they running windows? If they are running windows is it as a non-Ad environment, for example a work group. First assumption would be they are not AD integrated or otherwise you most likely wouldn't be having this problem although I can think of a few rare case scenarios where they might. However, odds are the relevant questions are What DNS server are they running and what DHCP sever are they running? Your application is trying to use a client IP Address on their network and the host name lookup based on their IP is failing so it tells me in their environment for one reason or another you can't get a host name from the IP Address of the client. Mind you if they could be on AD and configured entirely correctly their DNS server is just overwhelmed and not responding within 2 seconds causing the name lookup failure but that is the rate case. With more information I could help more.
3) Assuming in 2 that they are not on AD, do you have the ability manually code host names on the computer your application is running? For example, lets say yourapp.exe runs client-server-01 and clients connect to it. Then on client-server-01 you could add static DNS entries in the host file for each PC on the client network that you expect to connect. On the other hand if your application is running locally on the client PCs you could pass the machine name as a header in the web request and then read it from the Request.Headers variable on the server.
4) Again, making another assumption the clients are web based and your application in the client environment is being hosted on the server... Is the server on a DMZ outside the client environment? If so the client environment may likely be configured, per best practices, that the server host your web app is in a DMZ and DNS requests to the box are forwarded to the client's ISP and not back into their network that has the DNS server capable of resolving an internal IP to a client machine name. If this is the case you need to send the client machine name as a variable from your client or code local IPs to host names in the servers host file (assuming the internal network isn't behind NAT and exposes the real client machine's IP) or request that the DMZ'd server can access the internal DNS and configure the access accordingly.
....
The list really goes on and on but I think I highlighted the problems for 99% of the situations and provided answers to their various solutions.
You can try to take it from X-Forwarded-For header
The X-Forwarded-For (XFF) HTTP header field is a common method for
identifying the originating IP address of a client connecting to a web
server through an HTTP proxy or load balancer.
This is what X-Forwarded-For should return:
X-Forwarded-For: client, proxy1, proxy2
Here some example code:
string ip = Request.ServerVariables["HTTP_X_FORWARDED_FOR"] ;
if (!string.IsNullOrEmpty(ip))
{
string[] ipRange = ip.Split(',');
ip = ipRange[0];
}
else
{
ip = Request.ServerVariables["REMOTE_ADDR"];
}
There was an issue with Firewall setup on the client machine.Due to that our .NET code was failing. After adding an exception to all the incoming requests from xyz.com. My code is working without any issues.
Thank you guys #Alexander Higgins, #halfer for the help.
Say, a merchant have an asp.net with c# e-commerce website abc.com, he would like to allow Spanish customers only. But a credit card fraudster located in Greek attempts to purchase goods online with a stolen credit card having a Span billing address. System try to protect the fraud by matching up customer IP location and billing address but the fraudster can bypass this check by selecting a proxy located in Span.
So, is this possible to block the proxy user? I do not want any third party paid proxy detector.
I have following discussion regarding proxy, but non of them is match enough with me.
Proxy detection,
.NET proxy detection and http://www.maxmind.com/app/proxy (paid service)
As I guess, we may able to detect proxy customer by knowing what DNS he is using in his machine. Normally, customer should use the DNS of ISP of IP. If customer is using another public DNS, can we treat him as a proxy user?
Any idea would be appreciated.
If flash is a viable option you should be able to detect the users real ip that way.