I am trying to implement https support for my GCP VM. For the purpose, I created all the load balancing components i.e. instance group, health check, backend service, url map & target proxy. All were created without error.
However now when I am creating a global forwarding rule for the final step, I am getting the following error:
ERROR: (gcloud.compute.forwarding-rules.create) Could not fetch
resource:
- Invalid value for field 'resource.IPAddress': '35.xxx.xxx.xxx'. Invalid IP address specified.
I am using the following command:
gcloud compute forwarding-rules create fa-global-fwding-rule-1 --target-https-proxy=fa-https-proxy-1 --ports=443 --global --address=35.xxx.xxx.xxx
(IP add digits masked with xxx)
What am I missing?
I already have a working VM instance through http where I had promoted its ephemeral address to a static address (above is the same address 35.xxx.xxx.xxx)
Also once I implement https support, I want the http connect to continue working as well so that my existing apis are not disturbed until I move them to https
Any advice/help?
GCPs Load Balancer does not check to see if the static IP you picked was regional or global. If you accidentally reserved a "regional" IP instead of a "global" IP, it throws that silly error:
Invalid value for field 'resource.IPAddress': '35.xxx.xxx.xxx'.
Invalid IP address specified.
I don’t find any issues with your command, this kind of error is mostly observed due to IP conflict if the specified IP address is in use or not available. The Forwarding Rules map the IP address for your load balancer to the Target Proxy that will handle the requests.So first you will need to create your IP address though. Using this command:
$gcloud compute addresses create my-address --global
And then create a forwarding rule. You will need a global, rather than regional, IP address for your HTTPS load balancer. Using this command :
$gcloud compute forwarding-rules create my-https-forwarding-rule --global
--address 123.123.123.123 --ip-protocol TCP --port-range 443
--target-https-proxy my-https-proxy
Can you confirm if you are using a global or a regional IP address?
For HTTP, You need to create a totally separate Target HTTP Proxy and Forwarding Rule for HTTP. You essentially need to have two load balancers to handle the traffic, and then actually redirect users in your application. Notice that we put the same IP address in for the HTTP Forwarding Rule. This makes it so that we can listen on port 80 and on port 443 at our IP address.
Related
I have a dedicated windows 2012 server with 12 dedicated IPs.
I want to be able to make connections simultaneously from two different ips that I choose.
This will be used for two different browser applications.
I have tried the following:
ForceBindIP %IP_ADDRESS% %APP_EXE%
But the IP doesn't change, the browser always displays the lowest IP from my added range.
I have also experimented with a script that removes all the ips, and then just adds one.
netsh interface ipv4 delete address "Ethernet" 104.251.111.110
netsh interface ipv4 delete address "Ethernet" 104.251.111.111
netsh interface ipv4 delete address "Ethernet" 104.251.111.112
netsh interface ipv4 delete address "Ethernet" 104.251.111.114
....
netsh interface ipv4 add address "Ethernet" 104.251.111.115 255.255.255.0
This changes the address BUT I end up having only one IP for both applications.
If the applications you intend to use doesn't support binding to interfaces/ip (true, it's uncommon), you can use SOCKS or Proxy software (which is a lot more common, especially browsers).
For instance you could install WinGate or Squid http://www.squid-cache.org (which is the one I know most).
Squid-Cache have the ability to bind to different outgoing addresses based on rules (http://www.squid-cache.org/Doc/config/tcp_outgoing_address/ ).
Basically what you need to do is:
install Squid
add ACL for loopback IP mapping, such as:
acl IP110 src 127.0.0.1/32
acl IP111 src 127.0.0.2/32
[...]
tcp_outgoing_address 104.251.111.110 IP110
tcp_outgoing_address 104.251.111.111 IP111
[...]
And the default, which is just formally needed:
tcp_outgoing_address 104.251.111.110
Each application will then need to be configured with a Proxy (or SOCKS, if you go that way), which is a configuration option most commonly available. On the proxy configuration set the corresponding local IP:
for outgoing connection using IP .111, use proxy on 127.0.0.2
for outgoing connection using IP .110, use proxy on 127.0.0.1
.. and so on.
Make sure Squid (or WinGate) bind to localhost 127.0.0.1/24, so you shouldn't have big security concerns, but if this is exposed on internet you may want to proceed to security assessment anyway.
This way if you decide to offload some application remotely, to other server, you can still manage to use the same outgoing IP(s), you just need to change squid configuration to allow external connection, which could be a big plus for scaling.
It looks like you're searching for a fix involving little rework of the browser applications. Assuming that you're using IIS to serve the applications, you should:
Using File Explorer or command line, soft-link the application configuration in another root folder for each instance of the browser application.
Using IIS, recreate the application as a site for each of the above browser application folders.
Using IIS, bind each instance of the browser application to the IP address you wish to serve it with.
Caveat: It's tempting to use the same app pool for all instances, but evaluate your hardware before! Remember that (depending on the application requirements) you create a single point of failure when using a single app pool. Create separate app pools with identical parameters to reduce this risk.
I've been trying to find the correct situtation when to use GetHostAddresses or GetHostEntry. I understand by reading this article (http://msdn.microsoft.com/en-us/library/ms143998(v=vs.110).aspx) that GetHostEntry will do the reverse dns lookup and GetHostAddresses does not..
However under what exact scenario you need to use GetHostEntry rather than GetHostAddresses? also, what is the primary reason for GetHostEntry method to perform reverse DNS lookup?
GetHostEntry(hostNameOrAddress)
The GetHostEntry method queries a DNS server for the IP address that is associated with a host name or IP address.The method assumes that if an IP literal string is passed in the hostNameOrAddress parameter that the application wants an IPHostEntry instance returned with all of the properties set. These properties include the AddressList, Aliases, and HostName.
This method can be used if you want to find the hostname associated with an IP address.
Reverse DNS is mostly for such things as tracking where a web-site visitor came from, or where an e-mail message originated etc. It is typically not as critical in as forward DNS - visitors will still reach your web-site just fine without any reverse DNS for your web-server IP or the visitor's IP. Reverse DNS is important for one particular application.Many e-mail servers on the Internet are configured to reject incoming e-mails from any IP address which does not have reverse DNS.
GetHostAddresses(hostNameOrAddress)
But the GetHostAddresses method queries a DNS server for the IP addresses associated with a host name. If hostNameOrAddress is an IP address, this address is returned without querying the DNS server. This query will return all the IP addresses related to the hostname you provide.
The difference between GetHostEntry and GetHostAddresses is that whenever you give an IP address to GetHostEntry it will query the DNS server and try to get the hostname for that IP address and then get all the addresses associated with it.If the data for a successfull reverse resolve is not in your DNS server, this will fail.
One scenario where I see it useful as opposed to GetHostAddresses would be if you already know one IP address of a host and want to find the other IP Addresses. If an IP is specified as parameter, GetHostEntry would return all addresses while the GetHostAddresses will return only one (when IP is specified as parameter).
I have a ruby server based on TCPSocket (non-HTTP).
I have 2 different domains, both pointing with an A-Record to my servers IP Address (the same one). So, there are clients connecting to one of those domains.
Is it possible to tell which domain a client was connecting to?
I saw that this is possible in other protocols, but I'm not sure if this is based on manually added headers or really extracted from the basic tcp/ip connection. E.g. in PHP there is $_SERVER["HTTP_HOST"] which shows to which domain a client was connecting.
At the TCP socket level, the only things that are known are the source and destination IP addresses (and ports) of the connection. How the IP address was resolved via DNS is not possible to know at this layer. Even though HTTP works on top of TCP, HTTP servers have to look at the HTTP headers from the client to know which domain they are making a request to. (That's how the HTTP_HOST value gets filled in.)
One possible solution is to configure your server to have an additional IP address. This can be by assigning an additional IP address to the NIC or adding an additional NIC. Then have each domain use a different IP address. Otherwise, this is not possible and you may want to consider your application protocol on top of TCP to convey this information.
http://ipfuck.paulds.fr/
We've been recently getting hammered by this Firefox plug-in. It sends a fake IP in the headers so when our nginx web server picks up the IP it is a fake one.
Is there any way to get a real IP address or block out requests that have this plug-in installed?
There is actually no client IP entries in any HTTP Headers. There are only some un-official proxy headers which are added to a request, so that a proxy server can tell you the real ip of the connecting client (since the tcp socket will only reveal the IP address of the proxy server).
The plugin you linked to adds those proxy headers, to "fake" a proxy request, by adding a X-Real-IP: 1.2.3.4 or X-Forwarded-For: 1.2.3.4 header to the request. But no one forces you to use that IP address (which can be fake, like the 1.2.3.4 example here), you can always use the IP address of the socket that initiated the connection - which will be the client's real IP address if he uses the mentioned plugin.
Within the location section of your nginx configuration, you get the socket IP address through the $remote_addr variable. To retrieve the "fake" IP address, you can use $http_x_forwarded_for or $http_x_real_ip variable.
If you are using any application/cgi backend, you usually can examine the full headers and the socket IP address (i.e. in PHP you should check $_REQUEST and $_HEADERS variables)
Imagine a Windows box, which:
hosts a WCF service
has multiple NICs
sits behind NAT
When a user issues a request to the service (on top of the WCF infrastructure), he uses the external address assigned to the target machine by the NAT.
I have to write some piece of code inside the WCF service, which must know which of the several NICs that the machine has was used to actually handle the network traffic. How does this code identify the NIC is less important - it could be its MAC address (the best) or it could be the (internal) IP address of the NIC.
How can I do it?
EDIT1
I will try to supply the question context. There are two agents. Both expose the same WCF service. In addition, one of the agents can be instructed to start probing the network towards the second agent in the following fashion:
Agent A is asked to probe the network to agent B
Agent A negotiates with agent B the UDP port to utilize for the sake of probing using the WCF service exposed by the agent B.
Once negotiation is over, the agent A starts some custom protocol over UDP, where the agent B acts as the server - i.e. it binds to the UDP port negotiated in the previous item.
Binding to a UDP port requires two pieces - the IP address and UDP port, where the IP address can either be a specific IP address or * (to bind to all the IP addresses associated with the machine). The latter option is not good for us - I will omit the reasons. This leaves us the former option - binding to the specific IP address. However, when the agent B is behind NAT, the IP address used to talk to the WCF service is the external IP address assigned to the agent by the NAT. Binding, on the other hand, requires the respective internal IP address - how to get it?
Can you check the OperationContext.Current.Channel.LocalAddress (it's an EndpointAddress) inside a WCF operation?
As a side note, getting the remote address can be done with:
OperationContext context = OperationContext.Current;
MessageProperties prop = context.IncomingMessageProperties;
RemoteEndpointMessageProperty endpoint =
prop[RemoteEndpointMessageProperty.Name] as RemoteEndpointMessageProperty;
string ip = endpoint.Address;
--larsw
To get the MAC use
System.Net.NetworkInformation.NetworkInterface.GetPhysicalAddress();
All Nics:
System.Net.NetworkInformation.NetworkInterface.GetAllNetworkInterfaces();
to find out what is the real listening ip address you can write a code that listen to your port on each address and ping it from an agent emulator to see that the address is valid.
Cheers,
Gilad