Validating with reCaptcha from Within a Firewall

[Arun Prakash]

Hi,

We use an application server concept which is within a network
firewall and are planning to use reCaptcha solution. But to access the
reCaptcha's verification API "http://www.google.com/recaptcha/api/
verify", we need to open the firewall port from our application server
to google.com. To do that, we need specific IP Address or a group of
IP Addresses to be configured. And from reCaptcha's documentation, it
seems this IP (of reCaptcha) keeps changing every now and then. Is
there any documentation/contact on how to find this set of IPs that we
can configure on our end?

Thanks,
Arun

[Mani Sikka]

Hi Arun,

 

I had the same issue... but need not worry... google has a pool of IP's ... pick one and configure your firewall for that IP... i have been using this approach since many months now... their IP's change perhaps in a round robin fashion.

 

Mani

--
You received this message because you are subscribed to the Google Groups "reCAPTCHA" group.
To post to this group, send email to reca...@googlegroups.com.
To unsubscribe from this group, send email to recaptcha+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/recaptcha?hl=en.

[Arun Prakash]

thanks Mani. But there's still a chance of google IP changing in
future and we'll have to open the firewall port again for that IP. And
in the meantime the captcha validation will not work till the IP is
opened... How does google intimate about the upcoming IP change so we
can take corrective actions before the IP is changed?

> > recaptcha+...@googlegroups.com<recaptcha%2Bunsubscribe@googlegroups .com>
> > .

[P JH]

Is there really a need to specifically allow outgoing traffic for ports 80/443 in your situation? It seems rather restrictive.

To unsubscribe from this group, send email to recaptcha+...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/recaptcha?hl=en.

--
PJH

[Arun Prakash]

Yes indeed... without getting into much details, its an enterprise
application and so has to be hosted behind a firewall.. not sure of
any enterprise application that opens "all" the outgoing traffic from
their app servers.. by default, all the outgoing traffic are supposed
to be blocked and only if there's a need for specific outbound
traffic, the port has to be opened in the firewall for that specific
target IP.

Thanks,
Arun Prakash

On Dec 4, 1:00 pm, P JH <pauljherr...@gmail.com> wrote:
> Is there really a need to specifically allow *outgoing* traffic for ports

> PJH

[Mani Sikka]

I dont think that they will really intimate about the IP changes... we shall come to know some day when that happens...  google is perhaps aware of this issue and wont play around much..

 

 

To unsubscribe from this group, send email to recaptcha+...@googlegroups.com.

[Arun Prakash]

ha :) well the problem is we cant really take that assumption. I could
have if I was using it for my personal website.. This IP address issue
may be a game changer for us and if its not resolved, we might have to
look into other options like using JCaptcha or something else that
doesnt depend on external services...

Really appreciate your response Mani...

Thanks,
Arun Prakash

[Arun Prakash]

By the way, found this post hidden in the reCaptcha forums:
http://groups.google.com/group/recaptcha/browse_thread/thread/fcb83f307b0628bc/0994b5ab475c98b1?lnk=gst&q=firewall

This is a thread related to reCaptcha moving to google.com and related
notes on IP Address changes...

But the question still remains - is there any static list of IP or IP
ranges for reCaptcha service or will it keep changing..

Thanks,
Arun Prakash

[Mani Sikka]

well that is the reason.... I have coded a switch for recaptcha.. the day it goes down.. use a hot property.. to remove it from the web page.. if that works for you too?
 

To unsubscribe from this group, send email to recaptcha+...@googlegroups.com.

[Arun Prakash]

yes, we have the design similar to that.. if the recaptcha service
goes down, the actual business process should not get affected.. so we
have an automatic switch that disables the captcha (both display and
validation) from the application. But the problem is this changes the
user's experience and also introduces the window for attacks on the
website till the captcha is working again.. thats why I need to know
if there's any policy that google recaptcha team follows to intimate
the users beforehand if there's any IP address change...

[Mani Sikka]

I second that.. but I never read any post from anyone else on this issue, however valid it is... neither have i seen any concrete posts from the recaptcha team...

 

We had JCaptha.. but had to do away with that cuz the audio was too heavy on the server.. and memory leak was an issue..

To unsubscribe from this group, send email to recaptcha+...@googlegroups.com.

[Adrian Godong]

Hi,

Just want to chip in. What kind of firewall software are you using?

I'm quite sure almost all enterprise-grade firewall should be able to
create an exception based on domain name and/or application and/or
port number instead of just IP address.

If yours can't, then it's probably time to upgrade it.

Seriously, if you can only filter by IP address, I think you're better
off with other CAPTCHA provider. I don't think Google will ever
provide one static IP address for reCAPTCHA (what's the point of
having DNS anyway then?).

HTH,

> To unsubscribe from this group, send email to recaptcha+...@googlegroups.com.

> For more options, visit this group at http://groups.google.com/group/recaptcha?hl=en.
>
>

--
Adrian Godong
adrian...@gmail.com

[Mani Sikka]

well i checked my emails... we have exception based on domain name... so you are right :)

[Arun Prakash]

I personally dont know what exact firewall is used, but its a cisco
provided firewall.. and from what I came to know from the network guys
is that its not configurable for domain names, it accepts either IP,
network block (range of IPs) or "Any". We cant use "Any" since it
opens the outbound traffic not only to google.com but to all the other
IPs...

> adrian.god...@gmail.com

[Adrian Godong]

Ha, you're probably hit a bunch of lazy "network guys". :p

[Arun Prakash]

maybe :)
appreciate all your help...

[Shamir pulath]

thanks arun for your privete key is h7hjuhyfj7hgjygffflpoDhsyrwg587jh

--
You received this message because you are subscribed to the Google Groups "reCAPTCHA" group.
To post to this group, send email to reca...@googlegroups.com.
To unsubscribe from this group, send email to recaptcha+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/recaptcha?hl=en.

--
shamirpulath
s/o kuttymammed
shappinkunnu karakunnu (po)

[Adrian Bob]

Hi,

Any news on this ? I'm also in the situation where I need to validate the recaptcha answer within an enterprise environment with servers that use restrictive firewall rules. Where can I find Google's servers IP range so that we can setup rules based on that range ??? Please provide any relevant options.

THANKS!

[Adrian Bob]

Also I found this link https://code.google.com/p/recaptcha/wiki/FirewallsAndRecaptcha
And I ran the command listed there : dig -t TXT _netblocks.google.com
And got the same IPs that were listed on the link so I would say they dont't change the servers that often ?