I am writing a custom AccessDecisionVoter that will allow access to certain resources only if the remote address of the request is found in a list of allow ip addresses. However, the value of the remote address returned by WebAuthenticationDetails.getRemoteAddress() is in a format that appears to be Ipv6. When running my app locally, this is what is returned by the above method:
0:0:0:0:0:0:0:1%0
I'm storing the allowed address in a comma-delimited list in a properties file. The list is parsed and each allowed address is compared to the remote address, but since I have no idea how to translate an Ipv4 address into an Ipv6 address this comparison will always fail.
So is the value that is always returned by WebAuthenticationDetails.getRemoteAddress() or am I seeing this only because I'm running this locally?
Is there some way to convert this string to an Ipv4 string?
Is there some way to have the method in question return an Ipv4 string instead?
Thanks!
You cannot convert an IPv6 address to an IPv4 address. The represent two different protocols. The address of getRemoteAddress() will be in a format depending on the protocol used to create the request to the webapp. I guess that you see the IPv6 address only when using the app locally. 0:0:0:0:0:0:0:1 is the address of localhost, which is the same as 127.0.0.1 in IPv4. I think you should simply add this IPv6 address to the list of allowed IPs.
Related
Researching on how a server can figure out a client's IP address, I see that one needs to inspect the X-Forwarded-For header chain.
I understand that the client, ISP, and then routers and proxies declare their IP addresses there.
However, the server handler also has access to req.RemoteAddr field to read the client's IP address. How is that RemoteAddr determined exactly? Is it based on a specific header in the request? If yes, which one(s)?
I have tried inspecting the usage of the field and how it is set but the implementation details are hidden behind an interface.
The net/http server sets RemoteAddr to the string form of the network connection's remote address. The string is typically in the format "IP:port".
In the case of a TCP connection (the typical scenario), the network connection remote address is taken from the IP source address and the TCP source port.
The address can be the address of the client or a proxy.
The net/http server does not consider the headers when setting RemoteAddr.
I tried turning on Direct protocol v4.00 today, however I hit a snagging point with IP address handling. Some client IP addresses are IPv6 addresses e.g: 2a02:c7f:d192:dc00:de4:a84d:aab5:8225 (i've tweaked this address a little)
When I send these IPv6 addresses through I get the following error:
VPSProtocol=4.00
Status=INVALID
StatusDetail=3067 : The ClientIPAddress is too long.
VPSTxId={03F24DE5-60E6-FE73-0BFA-SOMETHING}
If I omit the IP address altogether, I get the following error:
VPSProtocol=4.00
Status=INVALID
StatusDetail=3333 : The ClientIPAddress is missing.
VPSTxId={983A157B-8866-A6C9-A4AC-SOMETHING}
So, what am I meant to do when presented with an IPv6 address? Fall back to Direct protocol v3.00??
I am trying to implement https support for my GCP VM. For the purpose, I created all the load balancing components i.e. instance group, health check, backend service, url map & target proxy. All were created without error.
However now when I am creating a global forwarding rule for the final step, I am getting the following error:
ERROR: (gcloud.compute.forwarding-rules.create) Could not fetch
resource:
- Invalid value for field 'resource.IPAddress': '35.xxx.xxx.xxx'. Invalid IP address specified.
I am using the following command:
gcloud compute forwarding-rules create fa-global-fwding-rule-1 --target-https-proxy=fa-https-proxy-1 --ports=443 --global --address=35.xxx.xxx.xxx
(IP add digits masked with xxx)
What am I missing?
I already have a working VM instance through http where I had promoted its ephemeral address to a static address (above is the same address 35.xxx.xxx.xxx)
Also once I implement https support, I want the http connect to continue working as well so that my existing apis are not disturbed until I move them to https
Any advice/help?
GCPs Load Balancer does not check to see if the static IP you picked was regional or global. If you accidentally reserved a "regional" IP instead of a "global" IP, it throws that silly error:
Invalid value for field 'resource.IPAddress': '35.xxx.xxx.xxx'.
Invalid IP address specified.
I don’t find any issues with your command, this kind of error is mostly observed due to IP conflict if the specified IP address is in use or not available. The Forwarding Rules map the IP address for your load balancer to the Target Proxy that will handle the requests.So first you will need to create your IP address though. Using this command:
$gcloud compute addresses create my-address --global
And then create a forwarding rule. You will need a global, rather than regional, IP address for your HTTPS load balancer. Using this command :
$gcloud compute forwarding-rules create my-https-forwarding-rule --global
--address 123.123.123.123 --ip-protocol TCP --port-range 443
--target-https-proxy my-https-proxy
Can you confirm if you are using a global or a regional IP address?
For HTTP, You need to create a totally separate Target HTTP Proxy and Forwarding Rule for HTTP. You essentially need to have two load balancers to handle the traffic, and then actually redirect users in your application. Notice that we put the same IP address in for the HTTP Forwarding Rule. This makes it so that we can listen on port 80 and on port 443 at our IP address.
I've been trying to find the correct situtation when to use GetHostAddresses or GetHostEntry. I understand by reading this article (http://msdn.microsoft.com/en-us/library/ms143998(v=vs.110).aspx) that GetHostEntry will do the reverse dns lookup and GetHostAddresses does not..
However under what exact scenario you need to use GetHostEntry rather than GetHostAddresses? also, what is the primary reason for GetHostEntry method to perform reverse DNS lookup?
GetHostEntry(hostNameOrAddress)
The GetHostEntry method queries a DNS server for the IP address that is associated with a host name or IP address.The method assumes that if an IP literal string is passed in the hostNameOrAddress parameter that the application wants an IPHostEntry instance returned with all of the properties set. These properties include the AddressList, Aliases, and HostName.
This method can be used if you want to find the hostname associated with an IP address.
Reverse DNS is mostly for such things as tracking where a web-site visitor came from, or where an e-mail message originated etc. It is typically not as critical in as forward DNS - visitors will still reach your web-site just fine without any reverse DNS for your web-server IP or the visitor's IP. Reverse DNS is important for one particular application.Many e-mail servers on the Internet are configured to reject incoming e-mails from any IP address which does not have reverse DNS.
GetHostAddresses(hostNameOrAddress)
But the GetHostAddresses method queries a DNS server for the IP addresses associated with a host name. If hostNameOrAddress is an IP address, this address is returned without querying the DNS server. This query will return all the IP addresses related to the hostname you provide.
The difference between GetHostEntry and GetHostAddresses is that whenever you give an IP address to GetHostEntry it will query the DNS server and try to get the hostname for that IP address and then get all the addresses associated with it.If the data for a successfull reverse resolve is not in your DNS server, this will fail.
One scenario where I see it useful as opposed to GetHostAddresses would be if you already know one IP address of a host and want to find the other IP Addresses. If an IP is specified as parameter, GetHostEntry would return all addresses while the GetHostAddresses will return only one (when IP is specified as parameter).
I am trying to set-up a private ipv6 network with two windows-7 machines for tesing my application. I have written a sample code to test the socket apis. I have created an IPv6 socket. When I try to bind with the link-local address (which I get from ipconfig command), the error code is 10049.
Please inform, why the bind with Ipv6 address is failing in windows-7 machine ?
If you're using a link-local IPv6 address, you probably need to set the sin6_scope_id field in your sockaddr_in6 structure to indicate which interface you want to listen on. A link-local address is ambiguous, since every interface must have a link-local address assigned, and they all use the same prefix. (fe80::/64)
You should probably bind() your listen socket to the unspecified address (all-zeroes or ::) so this isn't an issue, but it will still be a problem for the sending side. If you don't specify the sin6_scope_id, the system won't know which interface to send the packet on.
To avoid the issue, it would be best to set up an IPv6 router that does router advertisements, so you can get global unicast (or, at a minimum, unique local) addresses.