I need to use the Google Places API through PHP in a Wordpress site hosted on Flywheel.
It seems the option I need to use is the IP addresses (web servers, cron jobs, etc.).
My problem is that flywheel has a dynamic IP address system and after a couple of days the API stops working since the IP has changed.
I' trying to see if I can authenticate the site using something else but I have not been able to find it.
I've looked at googleapis/google-api-php-client but the Places API is not part of the APIs the package can connect.
Do you know how If there is any other way to whitelist a site for a web server with a dynamic IP?
It's not necessary to use the API key restriction. You don't need to restrict it by an IP address. It's an optional feature per key.
I'll try to give you at least an option/suggestion because I'm not sure how you intent to use the Google Place API but you can basically create 2 separate keys:
One public API key for browser based calls (show map, suggestions, etc..). In this case I would use HTTP referrer for as restriction and add your websites where this key is running.
One private API key for server based calls (server2server, queue, cronjobs, etc..). Since you have a floating IP you would need to know the full range. In this case I would not "additionally" restrict it by the IP address and only use the secret.
Another suggestions in case your really really want to restrict this additionally:
Ask flywheel if they can give you a dedicated IP address. A quick google lookup showed some forums which indicate that they support it. Attention: I'm sure they will charge you for this additional money.
Move your cronjobs, queues, ... away from flywheel and host it somewhere, where you have control of the IP address. (e.g. AWS EC3 t3.nano with an elastic ip address - costs you ~$5/month)
Hope this helps and gives you some impressions about your options. Let me know if this answers your question or if you need and further information.
Related
Using the simple php curl function for Facebook user-account control, I pull out the site and do the detection according to the incoming data.
But because I have multiple queries, Facebook blocks and php codes are disabled. How can I show each browser function as if it was entered from a different computer by modifying the browser ip-user agent (if there is a proxy) before running it?
Thank you.
Your trying to ask that your ip is blocked to get data through API so that you are trying to fetch data from different ip[proxy]. If this is your concern then try to find why your ip has blocked and get whitelist your ip from FB!!!!!
First, access canhazip.com or jsonip.com from the server to make sure it has the public IP you think.
Second, make sure that IP address is in "Server IP Whitelist" for the app's Settings > Advanced section in the Developer console (https://developers.facebook.com/apps/[APP ID]/settings/advanced/).
I have a server with many cPanel accounts - some, but not all, have apps that require Google Map API keys (like store finders or geoloaction for real estate locations)
So far I have been setting up different keys for each project and all seem to be working ok (most are small sites with limited visitation so I don't think usage will be a problem)
Now I am trying to troubleshoot a problem and no matter what I try to set up a new key for it it won't work
I'm starting to think I may have been better to set up just one authenticated key for my servers IP address and generate one server key and one browser key and then authenticate each domain that wants to use it via cName or whatever
Can anyone advise the best path here
Assume there are two different apps on appengine- one powered by Go and another by PHP
They each need to be able to make specific requests to eachother, purely over the backend network (i.e. these are the only services that need to make these specific requests- other remote requests should be blocked).
What is the best-practices way of doing this? Off the top of my head, here are 3 possible solutions and why I am a bit worried about them
1) Do not keep them as separate apps, but rather modules
The problem with this is that using modules introduces some other annoyances- such as difficulties with Channel Presence reporting. Also, conceptually, these 2 requests are really the only places they touch and it will be clearer to see what's going on in terms of database usage etc. if they are separated. But the presence issue is more of a show-stopper
2) Append the request with some hardcoded long secret key and only allow response if via SSL
It seems a bit strange to rely on this, since the key would never change... theoretically the only way it could be known is if an administrator on the account or someone with the source revealed it... but I don't know, just seems strange
3) Only allow via certain IP ranges (maybe combined with #2)
This just seems iffy, can the IP ranges be definitively known?
4) Pub/Sub
So it seems AppEngine allows a pub/sub mechanism- but that doesn't really fit my use case since I want to get the response right away - not via a postback once the subscriber processes it
All of them
-- As a side point, assuming it is some sort of https request, is this done using the Socket API for each language?
HTTPS is of course an excellent idea in general (not just for communication between two GAE apps).
But, for the specific use case, I would recommend relying on the X-Appengine-Inbound-Appid request header: App Engine's infrastructure ensures that this cannot be set on requests not coming from GAE apps, and, for requests that do come from GAE apps (via a url-fetch that doesn't follow redirects), the header is set to the app-id.
This is documented for Go at https://cloud.google.com/appengine/docs/go/urlfetch/ , for PHP at https://cloud.google.com/appengine/docs/php/urlfetch/ (and it's just the same for Java and Python, by the way).
purely over the backend network
Only allow via certain IP ranges
These requirement are difficult to impossible to fulfill with app engine infrastructure because you're not in control of the physical network routes. From the app engine FAQ:
App Engine does not currently provide a way to map static IP addresses to an application. In order to optimize the network path between an end user and an App Engine application, end users on different ISPs or geographic locations might use different IP addresses to access the same App Engine application.
Therefore always assume your communication happens over the open network and never assume anything about IPs.
Append the request with some hardcoded long secret key
The hard coded long secret does not provide any added security, only obscurity.
only allow response if via SSL
This is a better idea; encrypt all of your internal traffic with a strong algorithm. For example, ECDHE-RSA or ECDHE-ECDSA if available.
I'd like to know how to obtain the location of a client. I know this is possible by simply tracing the IP, but this isn't very accurate. I noticed http://www.kickstarter.com/ was able to get my exact location. I tried it in 2 different browsers, cleared my cookies and all, and it was still able to get my location. It didn't ask me to allow the page to get my address. How is this done?
To the people that are suggesting me to use geo-ip, please read the actual question. If you trace my ip you get a COMPLETELY different location which is about 100km off of my actual location, whily Kickstarter knows my EXACT location.
You can GEOIP the user, here is the PHP Manual on GEOIP
Those websites base your location on your IP address, for instance using Geo IP. This is not always a reliable feature, most of the time they show me a wrong location.
There are other solutions as well, such as browser geolocation, but this is not supported by older browsers (see caniuse.com for browser support). Browsers who do support it, should ask for permission.
See this website for some examples of geolocation methods.
You don't have to allow a page to get your IP address. The server ALWAYS knows the IP address it needs to talk to. If you don't use a proxy, it will know the direct address your request comes from.
I have an application which I am working on for a client which in summary allows each of their clients to create their own own version of the application by customizing the templates and associate their own domain name (all the code is located on my clients server).
The problem I am faced with is that when such users create their own branded version with their own domain name and then want to login to their admin the system can't provide https authentication.
I am aware that one can create a self signed certificate and I "think" there is a fairly simple way of doing this programatically, BUT if I want to give users the ability to purchase their own CA signed certificate then how could this be accomplished?
I have spent a few hours trying to find the answer to this question online but can't seem to find a solution to this perplexing problem.
What I think I need is some simple code which allow the user to fill out the required form field which in turn creates the CSR file which in turn the user would provide to the CA to obtain his CA file and for which some code would need to allow the user to upload it... Which in turn would automatically install it and redraft the needed web services.
Any/all help and guidance would greatly be appreciated!
How you would go about this depends on your architecture. But here are a couple things to consider:
Most SSL configurations operate on a unique IP address. So that means each SSL certificate you add would require another IP address. You may be able to centralize that configuration if you use a load balancer for example. Whether or not you can do that programmatically depends on your load balancer.
You will be best off generating the CSR based on your private key. Otherwise you will have to allow users to upload both a private key and certificate (and sometimes chain file).
Usually, dealing with the server certificate is done by a system administrator, so few tools will be user-friendly for people with no such knowledge.
You could create a PHP webpage that creates a private key and CSR (see openssl_csr_new examples) and lets the user copy the CSR in PEM format (and the private key for later use). Some CAs will let you paste such a CSR into their form, when requesting the certificate. Once the user gets the certificate (and perhaps the chain from the CA), they'd need to configure the server to use it (along with the private key). Tools like Webmin can let you do this from a web browser (you may want to implement something similar to what Webmin does for this, if you don't want to deploy a full web-based administration interface).
If the task of requesting the certificate is your client's responsibility (which it should really be if it's their server), they will need to be trained a little to know what to do, since the procedure will inevitably vary slightly depending on the CA they choose.
Needless to say that, if you implement scripts that can let the user change certificates and private keys, appropriate authentication and authorization should be used to perform these operations.