I am new to nextjs and SSR in general. I have previously worked through CSR in ReactJS. If a react application makes a request to the server API, then the server receives the cookie and the client's IP address.
But in the case of SSR, if NextJS makes a request on the server side, then the backend sees the IP address of the server where NextJS is located.
In this case, how can the backend server recognize the IP address of the client, and not the NextJS server? And how to send client cookies to the backend?
I need to know the client's IP to avoid cheating product ratings by guests.
Related
Place the internet facing load balancer in the public area and it is sent to React. Then react calls the backend connected to the internal alb. In other words, internal alb can be called in frontend. And by applying the address of internal alb to private route 53, 'example.local' could be created. And I tried to connect this in react, but it was sent as an http request, and the react homepage was in https, causing a mixed content error.
Is there a way to solve this?
Backend and frontend are serviced by different clusters through ecs target.
If you are getting a mixed content error, then that means your requests to the backend are coming from the web browser, not a back-end server. Since you are using React, which is a front-end JavaScript framework, requests to your backend are coming from each user's laptop/desktop computer, not from your front-end web server. This means the backend API cannot be behind an internal load balancer, because then it wouldn't be accessible from the user's web browser.
I'll attach an image to illustrate what I'm looking to do:
Note: The above photo should say "Redirect to HTTPS"
To preface, this is the following is the technology stack
DNS: GoDaddy
Proxy: Cloudflare
Client: React app hosted on Heroku
Server: Flask API hosted on Heroku
The flow at least to my understanding is this:
User enters in domain.com in browser and GoDaddy forwards all traffic to Cloudflare so that the site is viewed securely
Cloudflare then forwards the traffic to where the client is hosted
Once client is loaded, it makes a request to the server to receive a CSRF token. The CSRF token is generated by a method within flask-wtf. A session is created in the server and in the response, the CSRF token is attached to the header
Here things gets weird
Since the response received on the client never had the CSRF token attached to the header and no cookie was set on the browser, I would assume that the response goes to Cloudflare before the response hits the client. As a result, the CSRF token is never received. Not sure why this is the case.. But after a bit of research, I've discovered that Cloudflare does this by default.
It seems that a work around would be to use Cloudflare Workers, but that seems only available if their DNS is being used. Ideally, I would like to stick with GoDaddy.
I was wondering if anyone else experienced this and found a different solution.
I have a website written in AngularJs which send api request to another server application. If I want user to connect website through https, do I have to make server https also? I have already requested a ssl certificate on AWS with my website address, and applied it on the load balancer of website instance (not server instance). Do I have to request another certificate for my api server?
Thanks.
It is recommended that the communication between the client and server happens over https, especially if private data is being transmitted, such as login data.
Regarding certificates, in order to https to work, the common name (CN) that is used in the certificate must match the fully qualified domain of your server's URL. So yes, you need a new certificate created specifically for your back-end server.
Is there a way to reliably get client's IP in Django if the request is via HTTPS? For instance, is the data available in request.META['HTTP_X_REAL_IP'] secure against spoofing and other attacks?
In my case request.META['REMOTE_ADDR']=='10.0.0.132' which is an internal IP. So I could rely on request.META['HTTP_X_REAL_IP'] or request.META['HTTP_X_FORWARDED_FOR'] only.
My site is on pythonanywhere.com, if that matters.
So, is there a reliable client IP in request.META via HTTPS?
I have publish one webservice on server let say on abc.com server. now more than 10 client subscribe for this webservice.
Now I want to shift same web service to server xyz.com and want to close server abc.com.
So without updating client how can i make this move successful so my client Web Service do not need to update anything from their side.
You likely can't. Most users will have client side configuration that will need to be changed to point to the new url.
If you control the dns entries, you could decommission server abc.com and point it's old dns entry to the same server as xyz.com.