I have a REST Api developed using MEAN stack. Everything works fine but now I need to limit the access to specific endpoints to specific IP addresses.
For example, I have the following endpoints:
/api/balance
/api/account
/api/register
/api/user/details //<-- this one I want to limit access only by ip xxx.xxx.xxx.xxx (or list of ips)
My first thought is to create a middleware to intercept all requests, check if the endpoint access is limited and the origin IP and decide what to do.
There's a better solution or a proper way to do this?
Related
I am trying to create a saas and for that, I need to create an API and I am not sure how can I create an endpoint like this https://api.karix.io/message/ here domain is https://api.karix.io and endpoint is the message. I know how to create an API using nodejs but not sure how can I create for the domain-specific.can anyone help me with this problem?
A domain is basically a link to an ip-adress. There are DNS-Servers who transate between the human readable form and the ip.
If you want to run your app on a specific domain you need to purchase that domain (which can be quite costly) and the dns Server will create a link between the domain name and ip adress.
So basically you dont need to do anything in order to create the rest-api for your domain.
Later the request are similiar to this:
https://api.karix.io/message/
http://192.168.111.111:80/message <- The ip obviously differs in production
The name of the domain should be accessible in your request-Object atleast in the express framework.
In essence, only allow requests/responses to/from Azure Front Door. There are different options, however, I'm having trouble finding details on implementation and best practices. I think the proper solution would be to create a Virtual Network to use to integrate the two services.
One nuance exists, the Web Apps have staging slots that may require a different solution since they use Azure Active Directory to prevent public access to pre-production.
I found a little more insight here, but still found it a bit confusing.
It seems that if I have a custom domain with subdomains with Front Door, there should be an easy way to prevent direct access to the backend addresses of the Web Apps and only allow through the custom DNS and Front Door.
This was helpful, however, I'm still getting 403 from the Front Door, so I must be missing something in how to configure.
Middleware? This also was helpful, but seems to indicate it can only be accomplished by middleware and I'm running Node/Express not .NET Core. Is it true, it can only be accomplished through middleware code?
This also mentions the same details.
What is missing? How to configuration this across different application stacks.
The documentation is inaccurate when it states
< To lock down your application to accept traffic only from your specific Front Door, you will need to set up IP ACLs for your backend and then restrict the traffic on your backend to the specific value of the header 'X-Azure-FDID' sent by Front Door. These steps are detailed out as below:
It requires either setting up IP ACLs for your backend or implementing middleware code to conditionally match on your specific header value for 'X-Azure-FDID'. Both may not be required, the documentation is unclear.
I think you DO need both IP ACLs and checking the 'X-Azure-FDID' header. (I wish it was not needed...). If you only use IP restriction, your back-end is still open for all Front Doors around the globe, also those of other Azure Customers. And if you use only the check on the 'X-Azure-FDID' header, you are open for attackers trying to guess the header with brute force. Only the combination of IP ACL and checking the header will protect your back-end, because then you can be sure that the 'X-Azure-FDID' header was indeed added by a real Front Door service, and not spoofed.
See also this post, where it's explained clearly.
I'd like to write a basic DNS API service using NodeJS; I have an external (black-boxed) service that both generates random URL(s) as access points: https://<host_name>/<UUID> and pushes these URL(s) to my service.
I would like a way to link these URL(s) with static names that a user can create (upon registration). The idea is that users would be able to generate a static keys (unique identifiers) and use these "keys" (unique-identifiers) to access (by redirection) a given URL; for example, suppose that the temporary link ( one of the ones that is being pushed into my DNS service) looks like this: http://cool_server/2938ba6e-e54e-4393-926f-dacc91c2a33e (the UUID keeps changing every x number of minutes), the user creates an account on my object_DNS_service and generates a static key (or string that is unique): link_to_cool_server.
I would like my DNS service to link http://cool_server/2938ba6e-e54e-4393-926f-dacc91c2a33e to http(s)://link_to_cool_server.<my_host_name>such that no matter how often that URL that is being pushed into my service changes, a user would be able to still access it by redirection, using my own host-name and their unique key/string:
My question is: would the DNS module in NodeJS be able to help me solve this problem? - how should I go about this?
Use wildcard dns on <my_host_name> such that <anything>.<my_host_name> resolves to the ip address of your node server
There will be a single endpoint/route on that node server which pulls the <key> out of the url https://<key>.<my_host_name>
The endpoint then looks up the current UUID for <key> in your database
Responds to the request with a redirect to https://cool_server/<UUID>
I write a chat application in nodejs with a socket.io library, the problem is in the administration of users, is it better to write an administrative logic based on clients ip adress or based on an id-s from the database?
I would appreciate any help.
is it better to write an administrative logic based on clients ip
Most users will connect from a dynamic IP addresses so the IP address they use will most likely change.
You would need some method to authenticate users and identify administrators, normally using some user database.
I've just started using MVC5 and I want to make my website available just for a specific IP address, so I check the client IP address using the following:
Request.UserHostAddress;
I have two users to access to my website and every one have to access from specific IP address, so I need your help to know how to do this note that I use the default user authentication from MVC.
Every single support word is appreciated.