Vaadin 14: session browser ip address is always 127.0.0.1 - vaadin14

I need the IP address of the browser of the current session. Currently I retrieve this by UI.getCurrent().getSession().getBrowser().getAddress() but this one always returns 127.0.0.1.
The idea is for instance that the application, packaged as a webapp on a tomcat, authenticate with badge readers and only authenticate when the IP address of the Vaadin session is equal to the IP address of the badge reader. To support that each badge reader (linked to computer x) can only authenticate actions on vaadin sessions with IP of computer x. Currently I compare the badge reader IP, 192.168.xxx.xxx, with the Vaadin session browser IP, but this one is always 127.0.0.1, which results in a mismatch and no successful authentication.
How can I retrieve the real, for instance 192.168.xxx.xxx address?

getAddress() is based on ServletRequest.getRemoteAddr() which in turn is based on the TCP connection to the server.
If there is a proxy, gateway or load balancer in front of the server, then getRemoteAddr() will always be the IP address from which the proxy sends requests. In that case, there's often an X-Forwarded-For header in the HTTP request, but you'd then need to find the value through VaadinRequest.getCurrent() instead of through the WebBrowser class.
If you're testing locally, then there might also be a difference in what URL you enter in the address bar in the browser. If you have e.g. http://localhost:8080, then the server will see 127.0.0.1 as the originating address. If you instead use the external IP address of the development machine, e.g. http://192.168.0.2, then the server will see that address for the TCP connection.

Related

How to only allow access to API from certain ip address

I currently have a node js server deployed to heroku. I want to restrict non-authorized domains from interacting with the API's. I know I can do this on the server side by either requiring authentication or by requiring specific request host. But is there a way to configure that on heroku? To only allow a specific server owned by me to call the node serer.
Heroku most likey adds an x-forwarded-for header to requests it is sending to your application. You'll want to get the first address in that list:
const ip = (req.headers['x-forwarded-for'] || '').split(',')[0];
Where req is a request object. This glitch demonstrates it in action.
Using this address, you can respond to traffic depending on its IP from your node server.

Secure communication between two servers

I want to securely store private keys of my users on a separate server (lets call it B) and it's used to sign, decrypt information. B stores keys on a database (postgres). Server A (public) sends information to B. Ideally B needs to get the private key, sign the token with information and send it back to A. Instead of sending the private key to A, which can be a security issue (if server A is compromised).
My options are:
web sockets
Https request (https://nodejs.org/api/https.html#https_https_request_options_callback)
Questions:
Is there any other options to securely communicate with two servers?
If server B was on port "7000" how can I make sure only server A can access it?
How does HSM server help in my case and how does it communicate with other servers (websocket or https request)?
I could just take the easy route and connect database of server B on port "7000" and run queries from A but as I said it's not as secure. I heard that HSM handles/decrypts information and sends it back, so I though I can do something similar with normal servers.
Thanks any help would be appreciated
UPDATE
#zaph has answered questions 2 and 3.
Question: Does server A need to do a https request and include the private ip address of server B, for example https://203.0.113.25? Then server B would use an API router to handle the request. However ip isn't a DNS, therefore it won't work due to certificates. So how do servers communicate, send/receive data?
Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario3.html
For others: Use security groups, configure them so only a specific instance can access it. Make a normal request, e.g.: domain.com:PORT. PORT is the instance that's listening to request...
When you specify a security group as the source or destination for a
rule, the rule affects all instances associated with the security
group. Incoming traffic is allowed based on the private IP addresses
of the instances that are associated with the source security group
(and not the public IP or Elastic IP addresses).
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

Could a web app which authenticates a client only by IP address be exploited?

My web app is using a 3rd party tool for storing sensitive data, which has the ability to send events via a callback url (i.e. when something changes it will make a request to the given url). In order to prevent malicious requests the 3rd party tool suggests checking the IP Address of the request to ensure that it came from their server, but this seems like it would be vulnerable to spoofing.
Questions:
Is it safe to validate origin of requests in this way?
Would client certificates be a more reasonable approach for them?
If the 3rd party app is across the internet, then your check would be protected against IP spoofing as the 3 way handshake cannot take place if the IP address is spoofed. (Discounting large scale attacks such as IP hijacking.)
If the 3rd party app is on another server within your local network, then another user on that network could just set their local IP to that of the app to spoof it.
To summarise:
Could a web app which authenticates a client only by IP address be exploited?
No - if the app is internet based, the risk of IP spoofing is very low.

How to redirect dhcp (Linux) [duplicate]

This question already has an answer here:
DHCP Server to Redirect any url to landing page
(1 answer)
Closed 7 years ago.
I have a linux DHCP server which I need to redirect all web traffic to a landing page which will have instructions on how to register their computer on the network.
No matter what URL a user types in, the user needs to be redirected to a webpage (on the DHCP server).
ie: user types google.com they are immediately redirected to 192.168.10.1. This DHCP server will never be used to access the web. Once the user acquires the instructions to register their computer from the landing page, they will be blacklisted on this particular DHCP server and forced to request an IP from the main DHCP server.
How can I create such a redirect?
You are looking for a captive portal. See http://en.m.wikipedia.org/wiki/Captive_portal.
There are open source solutions that do just that. Lookup captive portal open source on google.
Note that the DHCP server assigns IP address and, mask, gateway, DNS config parameters. The captive portal needs to be implemented in the router box so as to prevent any trafic to the Internet until the user opens a web session and authenticates.

Node JS internet gateway/captive portal like used in public WiFi hotspots

I want to build a node js internet gateway/captive portal. So I can have a user 'authorize' his mac address or ip address if the mac address is not possible like used for wifi hotspots
So what I have in mind is node can have a dhcp server and it gives its ip address as the gateway. So if the user loads a page on the web browser it gives them an authentication screen and they can then log in and the gateway can then route its packets correctly.
How can I do the authorization step with node.js so if they're not logged in it presents a log in page & if they are to route the packets correctly?
You need couple of pieces to put this together.
#1: http proxy - If you can run a DHCP server and assign IP addresses, then you can run and http-proxy to capture all internet traffic.
#2: You'll then need to add authentication logic to this proxy which can check for a cookie, magic packet, token or something that verifies access and lets them through or redirects to login page.
node-http-proxy is a very popular and flexible node http proxy server that you can easily add your own logic to.
node-http-auth-proxy is another such project with an example of how to handle authentication built in.
Having a proxy also allows you to whitelist/blacklist sites/IPs, something you may wanna do based on your target audience.

Resources