IP based Google API key restriction problem - google-api

I'm using Google YouTube Data API v3 on a PHP based website and it works fine if there is no access restriction. APIs are called only from the server and not from client side.
However, if I setup a IP based restriction then all requests are blocked. It seems, that I set a wrong IP. I have already double checked the IP on my server and with ping as well and it is correct.
Any idea, what can be the problem?

Related

Geocoding API integration with containers and IP whitelisting

I am making requests to the Google Geocoding API within my node project. In production the project is running on Containers (AWS Elastic Container Service) which means the IP address for the service can change automatically - this means that I constantly have to update the IP whitelist in my Google API Key.
IP whitelisting is the only means by which I can secure the API Key. Furthermore, if I don't secure it then the key shortly becomes useless because of unauthorized use from another source.
Is there a practical solution to securing the connection with the Geocoding API from an application running on containers?
Thanks in advance for your help!
When you create your key for the Geocoding API you can simply add no website restrictions. The security implication is that your key is now usable from anywhere so the import of keeping it safe is a bit higher.

API key does not allow access from IP (Heroku)

I'm currently trying to create a website that gets data from the Clash Royale game API (https://developer.clashroyale.com) but they ask my to give an IP address for my API authorization key.
The problem is that my website is hosted on Heroku, and Heroku has several (always changing and more than 10) IP's and I can only give 4 IP addresses on Clash Royale API.
When I give my person IP address and run my code the API is fetched without any problems, but when I push my code to Heroku and open my website, I get this error message:
Invalid authorization: API key does not allow access from IP xx.xxx.xxx.xxx
Is there any way to get a single IP address from Heroku so I can use always the same for my API authorization key?
I found the answer after hours of digging into the interweb :)
I simply used a thing called "Proximo" that apparently converges all of your websites possible IP's to one; see https://devcenter.heroku.com/articles/proximo

URL shortner Api

I am using URL Shortener API to shorten our mobile app download link. (https://www.googleapis.com/)
We have some restrictions on our server such that we don't allow unrecognized IP access.
So I would like to know what would be the IP range that googles use when the URL is shortened using this API (https://www.googleapis.com/).
This will help us to configure our security settings to allow access to these IP's
google-apis-explorer
When you say "using the URL Shortener API", are you referring to making calls to this API from your server (as in outbound traffic is IP restricted) or using the short URL to reach your server (as in inbound traffic is IP restricted)? I'll go ahead and answer both possibilities, but please clarify if these weren't what you meant.
If you're trying to allow calls to this API from your server with outbound traffic IP restricted
The URL shortener API can be called through any of Google's IP addresses. There's no way to get a list of these because they will vary by location, load balancing, etc. Plus, you wouldn't want to attempt to restrict by IP this way because whitelisting even one of Google's IP addresses would allow calls from your server to all of Google's services. This likely includes any service hosted on Google Cloud, which could be a proxy, meaning literally anything in the world could be called this way; you'd be entirely eliminating IP restrictions on your server.
If you're trying to shorten your server's URLs using this API and your server has inbound traffic IP restricted
You shouldn't need to do anything. These URLs are just domain redirects. In the end, the user ends up visiting your website (server) using its actual long URL (there's no proxying), so just whitelist the allows users' IPs and it should work.

Restrict public web application access to specific dynamic source IP addresses

I'm developing a web application using Laravel hosting on a public cloud. Now, the application can be accessed publicly on the internet via domain address. However, I want to restrict to only users who are connecting to the organization networks to be able to use the application since we do not want the application to be used at home or elsewhere.
At the moment, the organization has 2 places (2 public internet networks) where they must be able to access to the application. Both of them are using home-standard internet where IP address changes every time the internet reconnects. As we do not have static IP addresses, I cannot filter user by using IP address filter. The IP filter rule must be changed every time when the organization network reconnected.
My application already have solid authentication and authorization mechanism and, of course, the users must know this information since they must access the app for work. However, this doesn't meet the requirement.
I have thought about the VPN but it (probably) doesn't not work because if we allow user the access to the VPN, they still be able to access the VPN anywhere and use the application outside the work places. If we restrict the VPN client to access from specific IP address, then when the IP changes, the same problem occurs.
To sum up, I would like to ask for the advice on how to restrict the access of web application, hosted on public internet, to the users that are connecting from the public IP address that can change every time when the internet reconnected. The requirement may sound strange but it is as it is. Please feel free to ask for more details if you want to and have a discussions on the suggestions.
Thank you in advance.
You could setup a client for a dynamic dns service (e.g. dyndns) on the client-side.
Then you could use that on the server-side to always check against current IP using that dns.
As alternative you could bind the website to localhost only and only let it be accessed via an pubkey-enforced SSH tunnel (and make that get auto-established by a script/scheduler on the client side, on a permission level outside of the users' reach, so that they can't take the private key needed for the connection anywhere)
You can use different PHP methods and variables to detect from where the request has been originated. Just whitelist your domains and organizations, and allow only them by adding a middleware.
Additionally, you can generate a token using Laravel Passport or you can create your own mechanism, and then use that token to authenticate if the request is valid or not.
Since the IP changes, you can setup a dynamic dns or as suggested on the comment above.

Google API : live server firewall ip address ranges

We are calling Google api via https://www.googleapis.com for social login on our website. Everything works fine upto staging , however on Live server due to firewall restriction api calls are throwing socket exception.
What is the best way to configure our live server to allow connectivity to Google.
Is there a list of ip addresses . How can I make sure it's all up to date.
Note: You must be using Google Maps for Work (paid) in order to host maps on a website that is behind a firewall. Otherwise you are in breach of the terms of service.
As for configuring your firewall, Google will provide you with all of the settings that are needed. You don't need to make constant changes to keep it working.
The primary source of information for configuring your firewall is found here: https://developers.google.com/maps/documentation/business/articles/prelaunch_checklist#firewall
Configure Firewall to Allow Access to the Google Maps API Services
Why it's important: The Maps API services use a variety of domains, some which do not belong to the *google.com domain. If you are behind a restrictive firewall, it is important you understand which Maps API services use which domains.
Failure to allow access to the correct domains will cause API requests to fail, which can break your applications. For a complete listing of domains used by the Maps APIs, please consult our portal resource (login required):
Log in to the Google Enterprise Support Portal
The support portal is only available to Google Maps API for Work users.
Navigate to the "Resources" tab
Select the Resource called "List of domains used by the Google Maps API Family."
You should allow your applications to access these domains.
Please note that we do not recommend managing firewall restrictions by IP address, as the IPs associated with these domains are not static.

Resources