This discussion is archived
6 Replies Latest reply: Jun 8, 2009 5:03 AM by ZKay RSS

Problem in getting remote address?

ZKay Journeyer
Currently Being Moderated
Hi,

I have a procedure on my login page, which reads user's IP address and stores it in a log file. I am using the following statement to get the IP address of remote user:

select owa_util.get_cgi_env('REMOTE_ADDR') from dual;

It is running fine on my workspace at http://apex.oracle.com and returns the real IP address of the remote user. But when I use the same code at my hosted server I get 127.0.0.1 instead of real IP.

Any ideas please?

Thanks,
Zahid
  • 1. Re: Problem in getting remote address?
    Jes Oracle ACE
    Currently Being Moderated
    Hello,

    You will need to talk to your hosted server provider as it sounds like they are using a proxy server configuration (and it is the proxy address you are picking up instead of the remote address).

    Your server provider should be able to give you the 'work-around' to capture the original IP address (although note, that using the remote IP address should be at best 'a good attempt', at worst it can be thoroughly misleading so I wouldn't rely on it - over the internet for HTTP requests at least - for anything super confidential etc).

    Hope this helps,

    John.
    --------------------------------------------
    Blog: http://jes.blogs.shellprompt.net
    Work: http://www.apex-evangelists.com
    Author of Pro Application Express: http://tinyurl.com/3gu7cd
    REWARDS: Please remember to mark helpful or correct posts on the forum, not just for my answers but for everyone!
  • 2. Re: Problem in getting remote address?
    ZKay Journeyer
    Currently Being Moderated
    Jes wrote:
    You will need to talk to your hosted server provider as it sounds like they are using a proxy server configuration (and it is the proxy address you are picking up instead of the remote address).
    I will contact my hosting company for the solution to get the remote instead of proxy address.
    Your server provider should be able to give you the 'work-around' to capture the original IP address (although note, that using the remote IP address should be at best 'a good attempt', at worst it can be thoroughly misleading so I wouldn't rely on it - over the internet for HTTP requests at least - for anything super confidential etc).
    Can you please explain that how it can be misleading and how would you go for securing anything super confidential etc.?

    Thanks,
    Zahid

    Edited by: Zahid Khan on Jun 5, 2009 10:09 AM
  • 3. Re: Problem in getting remote address?
    Jes Oracle ACE
    Currently Being Moderated
    Hello,

    >
    Can you please explain that how it can be misleading and how would you go for securing anything super confidential etc.?
    >

    Well, lots of reasons really. Firstly the IP address that you think identifies an end user might in fact be the IP address of a transparent proxy server that their ISP uses (a transparent proxy server can modify the request headers to change the IP address so that the request appears to come from them rather than the end user). The user might also have actively used a proxy server to 'appear' to be coming from somewhere else (a common technique to view content that should not be visible outside certain countries etc).

    The user might be inside a corporate LAN which presents a single (or multiple) NAT IP address to the world, so you only know the IP address of their main NAT routers/switches etc.

    The user might be using a tunneled SSH session so that the traffic appears to be coming from another bastion host rather than their own machine.

    The user might be using a network like TOR, so that their network traffic appears to be coming from elsewhere.

    Pretty much since TCP/IP became popular there have been ways and means to spoof your IP address (for various nefarious reasons), it's always been relatively easy to spoof a fake IP address at the packet level...obviously the difficult bit is to then receive the content if you're pretending to be elsewhere ;) How it has and continues to be done...

    Those are just a few examples off the top of my head, there are others...

    My point is, that using the IP address of the HTTP request can be useful, however just be aware that the address might not be the actual real address of the real end user (for the reasons described). I have actually seen people block a particular IP address from access a web site, only to find that it was actually the address of a proxy server used by hundreds (or more likely thousands) of other users who had also been inadvertently blocked from accessing the site.

    Hope this helps,

    John.
    --------------------------------------------
    Blog: http://jes.blogs.shellprompt.net
    Work: http://www.apex-evangelists.com
    Author of Pro Application Express: http://tinyurl.com/3gu7cd
    REWARDS: Please remember to mark helpful or correct posts on the forum, not just for my answers but for everyone!
  • 4. Re: Problem in getting remote address?
    ZKay Journeyer
    Currently Being Moderated
    Hi John,

    Thanks for the details. It means that IP identification can be useful but it can't be 100% reliable.

    Meanwhile, I have talked to my hosting guys, they say that they are running Apache which does proxy to Apex. Therefore for Apex all the requests are coming from the same IP. That's why it is returning this IP. They don't have solution for this problem but would try to find one.

    There should be some way to get the user's IP address on his first contact to the network.

    Thanks,
    Zahid
  • 5. Re: Problem in getting remote address?
    Jes Oracle ACE
    Currently Being Moderated
    Hello,

    >
    They don't have solution for this problem but would try to find one.
    >

    I can save them (and you) some time then, as I had to solve this one way back when we first started hosting APEX applications.

    They would need to do something similar to this in their Apache virtual host configuration -
    RewriteRule .* - [E=SPX_REMOTE_ADDR:%{REMOTE_ADDR}]
    RewriteRule .* - [E=SPX_HTTP_HOST:%{HTTP_HOST}]
    RewriteRule .* - [E=SPX_X_FORWARDED_FOR:%{HTTP:X-Forwarded-For}]
    RequestHeader set SPX_REMOTE_ADDR %{SPX_REMOTE_ADDR}e
    RequestHeader set SPX_HTTP_HOST %{SPX_HTTP_HOST}e
    RequestHeader set SPX_X_FORWARDED_FOR %{SPX_X_FORWARDED_FOR}e
    here I am defining (and setting) three new CGI variables to represent the original remote address the host being contacted and also the IP address if the request was delivered through a proxy server.

    They would also need to add these new CGI vars into the DAD configuration so that they are available to be used, like this -
    PlsqlCGIEnvironmentList    SPX_REMOTE_ADDR 
    PlsqlCGIEnvironmentList    SPX_X_FORWARDED_FOR
    PlsqlCGIEnvironmentList    SPX_HTTP_HOST
    Now (after restarting the Apache server or having it re-read the config files etc) in your PL/SQL you can reference the new CGI vars in the usual way -
    select owa_util.get_cgi_env('SPX_REMOTE_ADDR') from dual;
    That's my good deed for the day done...helping the competition ;)

    By the way, please don't have them just blindly copy/paste this code...they need to understand the rules and make sure they fit in with their architecture, security and policies etc...

    Hope this helps,

    John.
    --------------------------------------------
    Blog: http://jes.blogs.shellprompt.net
    Work: http://www.apex-evangelists.com
    Author of Pro Application Express: http://tinyurl.com/3gu7cd
    REWARDS: Please remember to mark helpful or correct posts on the forum, not just for my answers but for everyone!
  • 6. Re: Problem in getting remote address?
    ZKay Journeyer
    Currently Being Moderated
    Hi John,

    The following is done on the TEST server:

    1. Added the following in the Apache configuration file:

    RewriteRule .* - [E=SPX_REMOTE_ADDR:%{REMOTE_ADDR}]
    RewriteRule .* - [E=SPX_HTTP_HOST:%{HTTP_HOST}]
    RewriteRule .* - [E=SPX_X_FORWARDED_FOR:%{HTTP:X-Forwarded-For}]
    RequestHeader set SPX_REMOTE_ADDR %{SPX_REMOTE_ADDR}e
    RequestHeader set SPX_HTTP_HOST %{SPX_HTTP_HOST}e
    RequestHeader set SPX_X_FORWARDED_FOR %{SPX_X_FORWARDED_FOR}e

    2. Then did the following with SYS user:

    BEGIN
    DBMS_EPG.set_dad_attribute (
    dad_name => 'APEX',
    attr_name => 'cgi-environment-list',
    attr_value => 'SPX_REMOTE_ADDR');
    END;

    /

    BEGIN
    DBMS_EPG.set_dad_attribute (
    dad_name => 'APEX',
    attr_name => 'cgi-environment-list',
    attr_value => 'SPX_X_FORWARDED_FOR');
    END;

    /


    BEGIN
    DBMS_EPG.set_dad_attribute (
    dad_name => 'APEX',
    attr_name => 'cgi-environment-list',
    attr_value => 'SPX_HTTP_HOST');
    END;

    /

    But after doing the above, I am getting blank if I run the following statement:

    select owa_util.get_cgi_env('SPX_REMOTE_ADDR') from dual;

    I expect more good deeds from you :)

    Thanks,
    Zahid

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points