IP Address in ewd-session

[Nicogram]

On my developping system ewd-session contains the IP Address from the logged in user. This IP-address I will use for security reasons.

However, when I deploy my application to production, QEWD does not store IP Address in ewd-session (allways ::1)

Does anybody know what to do to also have IP Address from the logged in user stored in ewd-session in production system? 

[Nico van der Wouden]

Op vrijdag 24 september 2021 om 11:58:17 UTC+2 schreef Nicogram:

[Nico van der Wouden]

The server is Cache 2018.1, on development system running on Win10, on production on Windows Server 2012.

Op vrijdag 24 september 2021 om 18:55:47 UTC+2 schreef Nico van der Wouden:

[OldMster]

Are you using an IP address for the development server, and a DNS name for the production server perhaps?

Mark

[Nico van der Wouden]

Hi Mark,

The development server is in a local network and the connection is also local.

The production server is in the cloud and the connection is over internet.

 

Should this make a difference?

Nico

Op vrijdag 24 september 2021 om 19:17:38 UTC+2 schreef OldMster:

[Rob Tweed]

Nico

As far as the IP address is concerned, QEWD is picking up what it passed to it by Express and it, in turn, picks up what information it can from the HTTP headers sent by the browser or client.  My guess is that the relevant information is being stripped from the incoming HTTP requests by a firewall on the cloud service you're using, but it may be some other configuration issue or the type of browsers/clients your production users are using

Rob

--
You received this message because you are subscribed to the Google Groups "Enterprise Web Developer Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to enterprise-web-develope...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/enterprise-web-developer-community/4952229c-fa63-4717-88d6-1efa959cd88bn%40googlegroups.com.

--

Rob Tweed
Director, M/Gateway Developments Ltd
http://www.mgateway.com

[Mike Clayton]

I believe that ::1 is just the compressed version of the IPv6 loopback address 0:0:0:0:0:0:0:1.

I think it's perfectly valid.

Mike

---

From: enterprise-web-de...@googlegroups.com <enterprise-web-de...@googlegroups.com> on behalf of Rob Tweed <rob....@gmail.com>
Sent: Monday, September 27, 2021 5:26 AM
To: Enterprise Web Developer Community <enterprise-web-de...@googlegroups.com>
Subject: Re: [EWD:6262] Re: IP Address in ewd-session

 

To view this discussion on the web, visit https://groups.google.com/d/msgid/enterprise-web-developer-community/CABCtyERRgVv86qfniOLZq5_1Bj%3DiPuEY8DfA5fozwAgfsmzTBA%40mail.gmail.com.

[Nico van der Wouden]

Hi Rob,

Thanks for your reply.

It looks like Apache is stripping the incoming IP address. In the access.log from Apache I can see the IP, however this is apparently not passed to QEWD.

I'll will study the Apache config to see how the IP address can be passed to EWD.

Nico

Op maandag 27 september 2021 om 11:27:06 UTC+2 schreef rtweed:

[wdbacker]

Hi Nico,

The ip address in production is probably passed in somewhere else in the http headers. You can use the request-ip npm module for that, I just wrote a piece of code yesterday to determine the client ip inside the beforeHandler.js code in qewd-up:

  const ip = require("ip")
  const requestIp = require('request-ip')
  let privateIp = false
  let clientIp = requestIp.getClientIp(req) || req.ip

  if (clientIp && ip.isPrivate(clientIp)) {
    privateIp = true
  }

The request-ip module looks at a lot of header parameters to determine the client ip. Cloud providers pass in different http headers for this. Using the ip module you can determine if an ip is in a private range (not public). If request-ip does not find an ip address, it takes the ip address passed in by Express inside the request (req) parameter.

However, be aware that these modules fallback to localhost (127.0.0.1 or ::1) if no headers are found, this can be dangerous when you only look at the ip address for security reasons! You should always use a proper authentication mechanism with a login to create a secure token.

HTH,
Ward

​