How to recover a customer’s IP?

Asked

Viewed 78 times

0

I am working on my first professional project using Node.js. In it I make changes to security groups of EC2 AWS instances.

One of the data in which the system performs updates is the client’s IP. I am currently using the Ipify API to recover the IP. But the API is returning the server IP, and I need it to be the client IP.

The code being used in the API is like this:

const http = require('http')
http.get({ host: 'api.ipify.org', port: 80, path: '/' }, function (resp) {
      resp.on('data', function (ip) {
      const ipCliente = ip.toString('utf8') + '/32'

In a similar matter, they gave the solution to instead of using the API, simply handle the route request as follows:

const ipCliente = req.connection.remoteAddress

But the returned ip is ::1.

node.js express ip ipv4
  • 1

    I read about this Ipify and what it does is return its own public ip, is that right? When I need to capture the ip of a request I wear something like @Supercharge/request-ip next to Express. Did you test with this package? I imagine that req.connection.remoteAddress be from Express, but Voce tried req.ip?

  • 1

    Read the header X-Forwarded-For request solves your problem? const ipCliente = req.headers['X-Forwarded-For']

  • Gentlemen, both of the suggested commands have returned me ::1 . I’m suspecting it’s some bug related to the host location

  • 1

    Problem solved! As I was working with tests on localhost, the req.ip method was returning ::1 because it is a prefix of the future ipv6. When testing already in EC2 the IP has been rescued correctly. Thank you for all your help!

1 answer

1

I work with golang, using EC2 and also have had similar problems. In GO I usually work with the GIN Framework to manage routes and endpoints, and to get the IP address of the request I use the function ClientIP().

Analyzing the sources of the Framework he explains that to get the true IP of the client we have to get the Header X-Forwarded-For, if it doesn’t exist then we try to get Header X-Real-Ip, also tries to use Header X-Appengine-Remote-Addr, and in the latter cases it uses the Remoteaddress.

I believe this is the best way and the same need to try to get the true IP of the client.

// ClientIP implements a best effort algorithm to return the real client IP, it parses 
// X-Real-IP and X-Forwarded-For in order to work properly with reverse-proxies such us: nginx or haproxy. 
// Use X-Forwarded-For before X-Real-Ip as nginx uses X-Real-Ip with the proxy's IP.

Source: https://github.com/gin-gonic/gin/blob/7742ff50e0a05d079a0c468ccfbf7c6ecfe2414b/context.go#L728

  • 2

    What Gin does is insecure, the X-Forwarded-For can be forged.

  • 2

    Apparently, someone has reported this: https://github.com/gin-gonic/gin/pull/2474. Including with a CVE (https://nvd.nist.gov/vuln/detail/CVE-2020-28483). To date they have not corrected. CVE specifies: "This affects all versions of package github.com/gin-gonic/gin. When gin is Exposed directly to the internet, a client’s IP can be spoofed by Setting the X-Forwarded-For header.". This will only be safe if you are really sure that the X-Forwarded-For was removed in some reverse proxy (and he was the one who set the header) and that the connection is his (and not outside).

  • 1

    Eduardo, unfortunately I can not use this method the system I am developing is for security settings of the firewall instances, and any small breach leaves the system invalid.

  • So unfortunately I don’t know what to do or how to help you, I don’t understand much about this part of networks and instantiation settings and how it all works. I just have some knowledge of how GIN works and I only used it for purposes that didn’t care so much about IP accuracy.

Browser other questions tagged node.js express ip ipv4

You are not signed in. Login or sign up in order to post.