Is there any way to implement a custom guard that allows access to users that match the stored ip. For this, each user has an ip associated in the database.
With all guards you have access to the request via the ExecutionContext that each canActivate function uses. To get to the request you need to change the context to http, and then get the request. That can be done like this: context.switchToHttp().getRequest(). From there, ip is usually a top level property. Keep in mind, IPs are not static and are subject to change
Related
In essence, only allow requests/responses to/from Azure Front Door. There are different options, however, I'm having trouble finding details on implementation and best practices. I think the proper solution would be to create a Virtual Network to use to integrate the two services.
One nuance exists, the Web Apps have staging slots that may require a different solution since they use Azure Active Directory to prevent public access to pre-production.
I found a little more insight here, but still found it a bit confusing.
It seems that if I have a custom domain with subdomains with Front Door, there should be an easy way to prevent direct access to the backend addresses of the Web Apps and only allow through the custom DNS and Front Door.
This was helpful, however, I'm still getting 403 from the Front Door, so I must be missing something in how to configure.
Middleware? This also was helpful, but seems to indicate it can only be accomplished by middleware and I'm running Node/Express not .NET Core. Is it true, it can only be accomplished through middleware code?
This also mentions the same details.
What is missing? How to configuration this across different application stacks.
The documentation is inaccurate when it states
< To lock down your application to accept traffic only from your specific Front Door, you will need to set up IP ACLs for your backend and then restrict the traffic on your backend to the specific value of the header 'X-Azure-FDID' sent by Front Door. These steps are detailed out as below:
It requires either setting up IP ACLs for your backend or implementing middleware code to conditionally match on your specific header value for 'X-Azure-FDID'. Both may not be required, the documentation is unclear.
I think you DO need both IP ACLs and checking the 'X-Azure-FDID' header. (I wish it was not needed...). If you only use IP restriction, your back-end is still open for all Front Doors around the globe, also those of other Azure Customers. And if you use only the check on the 'X-Azure-FDID' header, you are open for attackers trying to guess the header with brute force. Only the combination of IP ACL and checking the header will protect your back-end, because then you can be sure that the 'X-Azure-FDID' header was indeed added by a real Front Door service, and not spoofed.
See also this post, where it's explained clearly.
Ok so people keep botting my multi-ogar edited server(which is like an agar.io private server), and I noticed that they all use the same user-agent. How can I use ws to detect how many connections are coming from the same user agent so I can block them?
Something like
if (useragentconnections += 3) {
ws.terminate()
}
Unless you require some sort of account login/authentication, there is no foolproof mechanism to identify the same user-agent. Here are some techniques that can be used, each with varying degrees of success:
Cookie the connection with some sort of unique ID. All webSocket connections start with an http request so you can cookie them. If this is from a browser, the cookie will be presented at each new webSocket connection from that user agent and you can identify them. If this is a programmatic webSocket coming from some custom code, then they may not retain the cookie so this would not work.
Look at the IP address and count connections from that IP address. If the user is an individual home user, then this will uniquely identify any users connecting from that home network. If this is a corporate user, then there may be many users on that corporate network that appear to be coming from the same IP address via NAT so you may falsely identify lots of users within the same corporate/business network as having the same IP address.
Require some sort of account login/authentication and have some terms of service. If you identify misuse either automatically or manually, you can then ban that account.
Require some manual "human" intervention in order to get logged onto your server such as a captcha. This is to prevent automatic programmatic logins and require that a human be on the other end.
I'd like to write a basic DNS API service using NodeJS; I have an external (black-boxed) service that both generates random URL(s) as access points: https://<host_name>/<UUID> and pushes these URL(s) to my service.
I would like a way to link these URL(s) with static names that a user can create (upon registration). The idea is that users would be able to generate a static keys (unique identifiers) and use these "keys" (unique-identifiers) to access (by redirection) a given URL; for example, suppose that the temporary link ( one of the ones that is being pushed into my DNS service) looks like this: http://cool_server/2938ba6e-e54e-4393-926f-dacc91c2a33e (the UUID keeps changing every x number of minutes), the user creates an account on my object_DNS_service and generates a static key (or string that is unique): link_to_cool_server.
I would like my DNS service to link http://cool_server/2938ba6e-e54e-4393-926f-dacc91c2a33e to http(s)://link_to_cool_server.<my_host_name>such that no matter how often that URL that is being pushed into my service changes, a user would be able to still access it by redirection, using my own host-name and their unique key/string:
My question is: would the DNS module in NodeJS be able to help me solve this problem? - how should I go about this?
Use wildcard dns on <my_host_name> such that <anything>.<my_host_name> resolves to the ip address of your node server
There will be a single endpoint/route on that node server which pulls the <key> out of the url https://<key>.<my_host_name>
The endpoint then looks up the current UUID for <key> in your database
Responds to the request with a redirect to https://cool_server/<UUID>
I have a REST Api developed using MEAN stack. Everything works fine but now I need to limit the access to specific endpoints to specific IP addresses.
For example, I have the following endpoints:
/api/balance
/api/account
/api/register
/api/user/details //<-- this one I want to limit access only by ip xxx.xxx.xxx.xxx (or list of ips)
My first thought is to create a middleware to intercept all requests, check if the endpoint access is limited and the origin IP and decide what to do.
There's a better solution or a proper way to do this?
I realize that mac addresses or machine ids aren't transferred over the internet, however, I would like to lock down our subscription-based website security so that only specific computers can register and have access to its resources.
Large organizations will subscribe to our service and will undoubtedly have more than one ip for their organization. As well, we'd like to give the ability for their qualified employees to access the website on devices outside of their physical organization (for road-trip presentations, etc.).
Is there a sure-fire way to achieve this end (beyond the username/password assigned to each account)? If not, what would be the most effective approach?
Instead of restricting access via IP, you want to use something that's actually secure.
Username and password over an HTTPS connection should at least be unsniffable, but you might want to look in to client SSL certificates. They can be configured in Apache or other web server software. If username/password authentication is not enough, this is the next (and perhaps final) step up.
UPDATE:
That said, what many application providers will do is provide a method for subscribers to implement an ACL for their accounts. You can even force people to consider their ACL before allowing them to access your services. Think of it this way:
An account is set up in your system allowing login from anywhere. Upon creation, the ACL is UNSET.
User logs in and is immediately directed to an ACL setup page, where they must provide either an IP address or range or subnet associated with their account. You can be clever and pre-populate things with their existing IP address or subnet, perhaps even looking things up at ARIN to see if their IP is in a network assigned to the company name on their account.
Once the ACL is set (or they have, despite your warnings, confirmed that they want to keep their ACL open), they can access your services.
If they try log in from elsewhere, they (and you) are notified via email (or SMS or whatever) of an attempted breach.
If they no longer have access to their ACL-listed IPs (i.e. IP renumbering due to a new upstream Internet provider and bad planning), they can call your phone support who will validate them by other means. FAX confirmation perhaps, because that's SO secure...
A user-managed ACL is not a "sure-fire" way, but it may be sufficiently effective for your needs, and it will certainly instill a sense in your customers that you have their best interests at heart.
There is no sure-fire way. That's in the nature of networks. You accept data from a remote machine and you have to trust it at least to some extend.
Take the simple username/password approach. If the usename and the passwords match, you have to trust, that they where entered by the person that the username and password was intended for. This does not fundamentally change if you require more data to be send by the client.