I'm running a web application on a glassfish 3 server. The application should not be accessible for anyone. Instead I want to limit access to a handful static IP addresses. To block all communication via a firewall is not an option, since the server hosts other web services too.
Given this background, my question would be:
How can I tell glassfish to only respond to requests from given number of IP addresses?
Your help is highly appreciated!
IP based security is not very robust and... secure (think network topology changes, IP spoofing) but it should be possible to:
create a virtual server
configure the application to be available on that virtual server only
define allowRemoteHost/denyRemoteHost properties at the virtual server level
A better alternative would be to move to certificates.
You can always write a filter that returns 404 or whatever for invalid IPs. Note that IPs can be spoofed.
Related
Im' looking to build a similar application to https://www.proxysite.com/ but am not sure on the best architecture.
Looking to have a data flow like this.
User Web Browser -> myproxysite.com -> Ngninx Proxy Server (somehow rotating IP for each client session) -> Targetsite.com
Then the user would need to maintain a full session on Targetsite.com as a logged in user.
In this example, targetsite.com is always the same site and is pre-determined. The challenge we are facing is that targetsite.com is blocking our users based on IP, many of whom are accessing it from the same office network.
So my questions are:
Does this seem correct?
Is there anyway for me to configure nginx with a rotating proxy service like luminati? Or do I need to add an API software layer to handle the actual IP changes?
Any guidance on this one would be greatly appreciated!
While I can't help you with your application, I do want to suggest an alternative. You mentioned an office so it sounds like the users who will use the proxy are workers.
Luminati (now BrightData) has a proxy manager which you can host on any server. The proxy manager allows you to create ports (ie port 24000) and configure it with whatever proxy you want (doesn't have to be BrightData's proxy). It has a ton of different parameters that you can include for each proxy (including IP rotation) and each port can be configured to have a unique setup.
Then you simply go to your user PC, open the browser proxy settings, type the IP address of the server that the proxy manager is running on and the specific port you configured and voila. You have central control of the managing the proxies and your user's browser is proxied.
A big benefit of this is the logs in the proxy manager show all activity on each port you setup, so you can monitor traffic and the success rates right there.
Proxy manager: https://prnt.sc/13uyjgj
In one of my applications (ASP.NET/VB.NET), I need to read the Client Machine Name. Based on the Client Machine we trigger a Point of Sale payment device to accept the payment. On each of these systems we have a stand alone software installed which communicates to the bank using HTTP requests. I am using the following .NET code to read the Client Computer Name.
Dim name As String = String.Empty
Dim hostEntry = Dns.GetHostEntry(HttpContext.Current.Request.UserHostAddress)
If hostEntry.HostName.Contains(".") Then
name = hostEntry.HostName.Substring(0, hostEntry.HostName.IndexOf("."))
Else
name = hostEntry.HostName.Trim
End If
In the development environment, all our systems are in a domain ("xyz.com") and we don't have any issues. In the customer location they don't have a domain name setup. My above logic works well in some of the systems in the client environment and is able to make payments but in most of the systems our logic fails and is not able to read the host name. Any help will be appreciated.
Your question doesn't have the specifics required to answer your question. There are many questions that need to be answered about both environments to give a correct answer. Since I can't ask questions, I will make some assumptions which might apply to future readers of this post and be able to help them out.
I would ask a question but my profile was forked for some unknown reason and I don't have the required reputation to ask a question. That being said I will run through the list of issues I can identify off the bat and suggest solutions for the issue and hopefully one will lead you to a solution.
So...
1) You state you need to read the client machine name. However, if your application isn't running on an internal LAN (aka an intranet) you can't read client machine names period. So this could be your first problem.
2) Combining point 1 and given that you are reading the IP Address from UserHostAddress of the client to look up a DNS host name and when the host look up succeeds you are taking the first part of the name up until the first "." it should be safe to assume that this an intranet application running on a LAN in both your development environment and at the client environment. With that assumption and given the statement that all machines are given an domain of xyz.com it can be assumed that DNS in your development environment is being dynamically updated from presumably through Active Directory (AD). In such case, whenever a client machine on development network requests an IP address, presumably through AD, the DHCP server integrated with AD issues the new IP Address. When it does and the DHCP offer is acknowledged and accepted by the client AD updates DNS (which on a windows network is also AD integrated) by adding a host entry with the computer name of the client machine pointing to the IP Address. Additionally a DNS pointer, depending on configuration, can be added to AD's DNS which allows an IP Address lookup to resolve to the record (which in this case would be the Client's machine name). So with your development environment (presumably running on Windows Active Directory Domain) everything works. Addi tonally, by default the top level domain name (XYZ.COM) gets appended to the clients computer name in initial DNS requests from the client.
3) Your client is not running a domain which leaves further questions. Are they running windows? If they are running windows is it as a non-Ad environment, for example a work group. First assumption would be they are not AD integrated or otherwise you most likely wouldn't be having this problem although I can think of a few rare case scenarios where they might. However, odds are the relevant questions are What DNS server are they running and what DHCP sever are they running? Your application is trying to use a client IP Address on their network and the host name lookup based on their IP is failing so it tells me in their environment for one reason or another you can't get a host name from the IP Address of the client. Mind you if they could be on AD and configured entirely correctly their DNS server is just overwhelmed and not responding within 2 seconds causing the name lookup failure but that is the rate case. With more information I could help more.
3) Assuming in 2 that they are not on AD, do you have the ability manually code host names on the computer your application is running? For example, lets say yourapp.exe runs client-server-01 and clients connect to it. Then on client-server-01 you could add static DNS entries in the host file for each PC on the client network that you expect to connect. On the other hand if your application is running locally on the client PCs you could pass the machine name as a header in the web request and then read it from the Request.Headers variable on the server.
4) Again, making another assumption the clients are web based and your application in the client environment is being hosted on the server... Is the server on a DMZ outside the client environment? If so the client environment may likely be configured, per best practices, that the server host your web app is in a DMZ and DNS requests to the box are forwarded to the client's ISP and not back into their network that has the DNS server capable of resolving an internal IP to a client machine name. If this is the case you need to send the client machine name as a variable from your client or code local IPs to host names in the servers host file (assuming the internal network isn't behind NAT and exposes the real client machine's IP) or request that the DMZ'd server can access the internal DNS and configure the access accordingly.
....
The list really goes on and on but I think I highlighted the problems for 99% of the situations and provided answers to their various solutions.
You can try to take it from X-Forwarded-For header
The X-Forwarded-For (XFF) HTTP header field is a common method for
identifying the originating IP address of a client connecting to a web
server through an HTTP proxy or load balancer.
This is what X-Forwarded-For should return:
X-Forwarded-For: client, proxy1, proxy2
Here some example code:
string ip = Request.ServerVariables["HTTP_X_FORWARDED_FOR"] ;
if (!string.IsNullOrEmpty(ip))
{
string[] ipRange = ip.Split(',');
ip = ipRange[0];
}
else
{
ip = Request.ServerVariables["REMOTE_ADDR"];
}
There was an issue with Firewall setup on the client machine.Due to that our .NET code was failing. After adding an exception to all the incoming requests from xyz.com. My code is working without any issues.
Thank you guys #Alexander Higgins, #halfer for the help.
I am doing some testing on an Azure VM and have an ASP.NET website that I wish to limit access to. The website should only be accessible from a given IP (our office) but I also want the server to be able to make requests to other websites hosted on itself.
I have successfully setup an IP and Domain Restriction for our office IP but cannot find a way to allow requests internally from itself.
Is this possible without setting up a static IP in Azure?
This question should be migrated to ServerFault, but given that there are programmatic approaches to it, I'll answer:
You need to set up Access Control Lists on the input endpoints, to specify ranges (via CIDR notation) of allowable or blocked IP addresses.
While this may be done via the portal, you may do it via the CLI:
azure vm endpoint acl-rule create [vm-name] [endpoint-name] [order] [action] [remote-subnet]
You may do this via PowerShell as well. Rough outline:
Use New-AzureAclConfig to set up a config object
Use Set-AzureAclConfig to add rules to the config
Use Get-AzureVM to retrieve the config of your given virtual machine and add the ACL config to the VM
Use Update-AzureVM to save your changes
More PowerShell details here.
I want run multiple ASP.NET websites on a single IIS server using the same IP address and port (80).
I cannot use host headers to accomplish this because my clients have not agreed to use a domain name.
My websites will be accessed using an IP like 227.23.32.44. All of them will use the same port (80). The reason for this is, I have around seven applications and my clients wants me to use standard, IANA approved, easy to remember port numbers.
If I want to go with standard, IANA approved TCP port numbers, I would be left with
227.23.32.44:80
227.23.32.44:116
227.23.32.44:84
This is not very user friendly.
Rather, if I use
227.23.32.44:80
227.23.32.44:81
227.23.32.44:82
Then it is much more user friendly but my clients will not let me use this.
Is there any other way to run multiple websites? Can I use another proxy server to inspect the url of all incoming requests and then route to the necessary application? I have heard about nginx. Can I use nginx to do this?
You need to uniquely identify a site using a composite key of IP+Host Header+Port.
Since host header is out, you are left with just IP and Port. You have 2 options.
1.Have multiple adapters so that you have multiple IPs and port will be 80.
2.Have same IP but different Ports
Host header is meant precisely for this reason. You can have same IP, same port but different Host header.
Nginx is not a silver bullet either. You won't be able to run ASP.NET on Nginx.
Why not to put applications in different folders on IIS?
227.23.32.44/WebApp1
227.23.32.44/WebApp2
227.23.32.44/WebApi
IIS support this out of the box:
Go to IIS Manager
Right-click Default Web Site
Choose "Add Application..." command. Alias means customer visible part of URL.
We have a web server in the DMZ that has open access to the Internet (of course) and RDP access to our internal network via an internal Firewall.
Our web developers (who use many different tools including Visual Studio) require the ability to 'publish' content changes and new projects to particular folders on the web server. This ability requires a drive to be mapped to the server you are publishing to.
The problem is, our network team refuses to open up NTFS access to the server internally. I somewhat agree with them - there is no way to limit NTFS access by port number. It simply doesn't exist as an option I am aware of.
So our question becomes - other companies must have this need to secure traffic coming to and from the web server from the internal network. How does one allow mapped drives to a web server in a DMZ without openening up the web server completely?
Thanks
CIFS normally runs on one of several ports: TCP 445, 137, 139; UDP 137, 138. Your firewall team ought to be able to poke holes through for these specific ports to specific internal hosts that should have privilege to update the live webserver.
If it is a "real" DMZ with separate firewalls on both sides of the hosts, it should be easy to modify both the firewalls and the web server's host firewall to allow the accesses. If the DMZ is "faked" a bit with a single firewall, it is still possible to allow the access from only internal hosts on both the firewall and the server's host firewall, but I could understand the reticence to trust so much to a single firewall.