1

I have a VPN setup where clients authenticate using pre-shared certificates. I want these clients to use my http api written in flask but I need them to authenticate first to return correct data from database.

Is it safe to use request.remote_addr or request.environ['REMOTE_ADDR'] to identify users given I know IP address of every client from VPN config?

e.g.

user = select_user(request.remote_addr)

where select_user(IP) maps VPN clients to IP addresses.

SteveS
  • 366
  • 1
  • 4
  • 15

1 Answers1

4

The REMOTE_ADDR will always be the IP of the TCP connection emitter, there is no way to modify it for a potential attacker (except proxy). But there is a vulnerability if someone can access to one of your user's network (as they will have a valid IP). So if you can really trust your users personal network security, yes it is safe, otherwise no.

cyprieng
  • 706
  • 6
  • 16
  • Do you have some documentation or paper confirming it can't be modified or spoofed? – SteveS Dec 16 '16 at 10:47
  • The remote_addr is directly set by your server to the IP of the emitter of the connection. So if your server is secure, the question become: can I spoof an IP address ? You can have a look here for example: http://superuser.com/questions/619477/how-do-i-spoof-the-ip-that-my-computer-sends-a-server-without-using-something-li – cyprieng Dec 16 '16 at 10:57
  • You completely ignored the part of my question where I state that I use VPN. – SteveS Dec 16 '16 at 11:03
  • I am not sure what do you want: you want that only people who have access to your VPN can access to your API, or do you want that only people connected to your VPN can access to your API ? – cyprieng Dec 16 '16 at 11:12
  • I want to identify users connected to my VPN by their IP address and I would like to know if this authentication method is secure. – SteveS Dec 16 '16 at 11:17
  • If you use a VPN, the remote_addr will still identify your user IP. And as your website is only accessible thought VPN, only your client can be potential attacker. And for this they would need to spoof their IP to the one of another client, which is only possible if one of your client can connect to the network of another client. – cyprieng Dec 16 '16 at 11:24
  • I upvoted this answer because it was edited to include the 2 scenarios where the IP could be wrong: if a proxy server is involved (which it sounds like it is not) and if the remote client machine or gateway has been hacked. Also please note this is not `authentication`. What if your IT dept gives person A's laptop to person B and person B's laptop to a new hire? What if the remote clients are using DHCP and the IP lease gets renewed with a different address? This kind of thing could cause problems if you use IPs to identify users. Hope this helped more than my previous answer, deleted :) – Alex G Rice Dec 16 '16 at 16:05