I need to get the user's IP address from the browser. I know we can get device information from the browser with plain JS without any http requests involved (OS and browser info via User-Agent), but to get the IP address you need to make an HTTP request, as your browser will attaches the IP address as a header of the request so you can get it server-side or in the response of that request in the UI.
I am lacking some basic understanding and I can't see why an HTTP request is required and at what point the IP address is added as a header, if the browser doesn't know how does the header get attached?
I believe OSI_model is the basic knowledge you are looking for.
https://en.wikipedia.org/wiki/OSI_model
HTTP request is just the top layer of the whole network system.
The IP protocol is handled on (Layer 4)Transport Layer and it will not arrived to Application Layer(Layer 7).
The statement -- "your browser will attaches the IP address as a header of the request" is Wrong.
Normally the http request doest not carry source IP information in headers. You can view the https://en.wikipedia.org/wiki/List_of_HTTP_header_fields for normal headers.
But you are right that the sever side should figure out the client's IP. How can it achieve that?
In fact HTTP is an Application Layer protocol. The topic of source IP belongs to Internet layer.
The Internet protocol suite(TCP/IP) will solve that.
Meanwhile it means it's impossible to get your ip directly in browser. Moreover, sometimes it's even impossible to get your public ip address within your System.
For example the WiFi AP normally use DHCP to assign you an private ip only. And use NAT to modify your packets when you send/receive a request.
Related
Detecting visitor IP is easy. But how about detecting DNS server ips of a visitor ?
I found this PHP function, however it finds only domain names' DNS.
dns_get_record("website.com", DNS_ANY);
Is it possible to detect visitor DNS server ?
Yes, you can, like detecting page resolution of visitors.
You need own DNS server and force user to resolve unique dns name. If user tried to resolve it then they will leaks to your DNS server own DNS server address. Next to DNS server have to share information who asked about the unique dns name to your web apps.
It's not easy, but it can be done. There's a demonstration of the approach suggested in a separate answer by Adam Dobrawy at http://ipleak.net/
To add a bit of detail, the way you can implement something like this is:
Part 1 - Set up your own DNS server on myspecialdomain.com
This DNS server needs to be custom written to log and store the incoming request and the source IP address. This storage only needs to be for a short period of time, so something like memcache might work nicely.
The DNS response should be an NXDOMAIN.
Part 2 - Your client-side code
In your Javscript make and store a large random number. Make the browser lookup .myspecialdomain.com. Load this via a JS img tag with an error handler.
In that error handler, now make a query to your server side code passing the random number.
Part 3 - Your web application (server side)
You need to implement some server side logic that takes the random string, looks it up in the datastore, and retrieves the IP address of the DNS server.
Note the IP address here will be the IP Unicast address of the particular server, it won't be an IP Anycast address like 8.8.8.8.
Here you can use GeoIP or Whois databases to determine the owner of that IP address (OpenDNS, Google etc). You can then generate a response to send to the client logic.
DNS resolution is not part of the request itself which means there is no way for the receiver of the request to know which DNS was used by the client (browser).
The DNS request happens first, as it is required to resolve the hostname to an IP address. Once this is complete, then a separate request is performed to the address in question.
The answer is NO. All the server got is a TCP connection to the visitor, that is, an [IP, Port] pair. DNS resolution depends on visitor's local configuration and can be done by a proxy.
I'm now creating a script on my website, which will need a bi-direction connection (the script is a chat room window). But we don't want to create a socket. Instead, we want to make client(the script) and server both have ability of sending http request to each other.
(BTW, the website server and script server are two different servers)
It is very easy for client(the script) to send http request to our server. But it is a big problem for the client(the script) to listen to http requests.
I have done some search but found nothing, maybe this requirement is so weird that seldom been used? Is it possible for a script which embeded in webpage that listen for http request?
Thanks!
In order to receive an HTTP request, you must:
have a publicly accessible IP address
have an open port, publicly accessible
bind a program to that port to listen for HTTP requests
Browsers fall down on all three counts. You cannot expect that all of your clients have a publicly reachable, unblocked IP address with specifically the port open that you want. But even if that were the case, there's no way for the browser to listen to incoming requests; there's no API to do that in the browser, partly because the browser is an HTTP client and not a server, partly because offering such an API would probably provide an extremely powerful API to all sorts of attackers, and partly because it oftentimes is useless anyway because the browser cannot be reached anyway (see point 1).
So, no, you cannot turn the browser into an HTTP server.
Use WebSockets.
If I have a website with a piece of java-script added on to the page - e.g. when a visitor clicks on a button - it sends a HTTP request to an external URL.
If the external URL (who receives this request) tries to check the IP address/host of where it came from -- Would this show the visitor's IP or the original website's IP?
If the request is sent from the client-side via JavaScript, it is a HTTP request send from the user's computer.
For this reason, the host will also see the public IP address of the user's computer. In this regard, it is very similar to the user simply copying the URL into the browser's address bar or to opening it via a click on a link on the web site.
Note that the result may vary though, e.g. if the request was routed through a proxy.
I can prevent other web sites (e.g. example.com) access and use my server resources via WebSocket. I mean they cannot access the server by pointing to something like "ws://47.80.151.189:1234" and use its resources (bandwidth, memory) or receive data sent from it. It’s a node.js server.
However, my local computer can still receive data sent from that WebSocket url. It can still receive data even in this file location: file:///D:/test.html
I don't want the data exposes to anyone. So how can I prevent this and thank you.
You can restrict browsers connecting by checking the origin HTTP header.
When a JavaScript script running in a browser opens a WebSocket connection to some server, it will set the origin header to the URL (well, host) of the original HTML that contained the JavaScript that opens the WebSocket.
Note that non-browser clients are not required to provide an origin header and/or can fake to anything.
You can also restrict of course based on source IP of the connecting client. Or you can require some kind of authentication.
I'm building an app where the user may occasionally make a search. I'd like to run the search through google, but I'm unsure in the event I have many users if i will hit google's search quota. Any individual user will not make more than one or two searches a day on the app. But cumulatively, it could potentially be much more.
Will doing client side retrival of a google query avoid this problem and not identify my server as the origin ip?
Yes, if you do a GET request from the client, the clients IP will be the source IP
Since you are doing a GET from the client's side, the TCP/IP connection is being opened by the client. So it would be the client's IP that the site would see as the requesting IP. However if you would like the site to see your IP instead, you can re-route the request via AJAX to your server, have your server do the GET and send the results asynchronously back to the client.