API Whitelist & SessionKey Logins

For discussion of the Poker Mavens server module and other administration topics
Tuck Fheman
Posts: 213
Joined: Tue Jul 04, 2017 6:44 am

API Whitelist & SessionKey Logins

Post by Tuck Fheman »

Yesterday I tried the API Whitelist feature without success. Almost immediately after adding the domain name our sessionkey logins originate from, a user contacted me saying they couldn't login and it told them their IP wasn't allowed.

I entered the domain name where our login is at into the whitelist as well as the IP I was shown it said I was coming from when it blocked my attempt to use the API from that server.

So I'm confused as to why it was blocking users trying to login and how to resolve it so that I can allow the server our website is hosted on access to the API on the server PM is installed on and not block everyone from logging in.
Kent Briggs
Site Admin
Posts: 5878
Joined: Wed Mar 19, 2008 8:47 pm

Re: API Whitelist & SessionKey Logins

Post by Kent Briggs »

Tuck Fheman wrote: Mon May 02, 2022 1:15 am Yesterday I tried the API Whitelist feature without success. Almost immediately after adding the domain name our sessionkey logins originate from, a user contacted me saying they couldn't login and it told them their IP wasn't allowed.
When you do a who-is lookup on that domain name, does the first IP in the DNS match the IP that is trying to connect to the API?
Tuck Fheman
Posts: 213
Joined: Tue Jul 04, 2017 6:44 am

Re: API Whitelist & SessionKey Logins

Post by Tuck Fheman »

Kent Briggs wrote: Mon May 02, 2022 9:22 am When you do a who-is lookup on that domain name, does the first IP in the DNS match the IP that is trying to connect to the API?
afaict no matter which whois I use I get no IP. Could it be because I'm behind cloudflare?
Kent Briggs
Site Admin
Posts: 5878
Joined: Wed Mar 19, 2008 8:47 pm

Re: API Whitelist & SessionKey Logins

Post by Kent Briggs »

Tuck Fheman wrote: Mon May 02, 2022 10:45 am afaict no matter which whois I use I get no IP. Could it be because I'm behind cloudflare?
You can do a who-is check on a domain from anywhere. But as far as what the poker server sees, any connection that goes through Cloudflare will be from one of their IPs. However, they do include the user's actual IP in a header which Poker Mavens will read if you tell it to by setting:

System tab -> Server Settings -> Proxy IP header = CF-Connecting-IP
Tuck Fheman
Posts: 213
Joined: Tue Jul 04, 2017 6:44 am

Re: API Whitelist & SessionKey Logins

Post by Tuck Fheman »

Kent Briggs wrote: Mon May 02, 2022 12:49 pm You can do a who-is check on a domain from anywhere. But as far as what the poker server sees, any connection that goes through Cloudflare will be from one of their IPs. However, they do include the user's actual IP in a header which Poker Mavens will read if you tell it to by setting:

System tab -> Server Settings -> Proxy IP header = CF-Connecting-IP
Maybe I'm misunderstanding how this works.

What I want to do is only allow API access from the server our website is on that has the session key login to the poker server (on another windows server), so that no other person can access our API from outside those 2 servers of ours.

I assumed that I could just set the domain name and/or the IP address the website resides on in the API whitelist to accomplish this.

If I understand what you're saying correctly, the reason this may not work is because Cloudflare is sending the poker server one of their IP's when someone tries to login, instead of our website servers IP?

> System tab -> Server Settings -> Proxy IP header = CF-Connecting-IP

This is set in settings.
Kent Briggs
Site Admin
Posts: 5878
Joined: Wed Mar 19, 2008 8:47 pm

Re: API Whitelist & SessionKey Logins

Post by Kent Briggs »

Poker Mavens will use that header to get the real IP address. It will do a DNS lookup of the domain name name you put in the whitelist to get the first IP address associated with that domain. If they match, it should let the API connection go through. Go to https://www.ip-adress.com/whois-lookup and type in the name of the domain where the API code is running. See what IP address is shown. If there is more than one IP then it only looks at the first one. Now check your Error Log and see what IP was blocked by the whitelist. Do they match?
Kent Briggs
Site Admin
Posts: 5878
Joined: Wed Mar 19, 2008 8:47 pm

Re: API Whitelist & SessionKey Logins

Post by Kent Briggs »

By the way, is your API code running on a server that is also behind Cloudflare? That would explain a whitelist failure if the API server's domain is pointing to a Cloudflare server. If that's the case then you'll need to whitelist the API server's IP address instead.
Tuck Fheman
Posts: 213
Joined: Tue Jul 04, 2017 6:44 am

Re: API Whitelist & SessionKey Logins

Post by Tuck Fheman »

Kent Briggs wrote: Mon May 02, 2022 4:26 pm By the way, is your API code running on a server that is also behind Cloudflare? That would explain a whitelist failure if the API server's domain is pointing to a Cloudflare server. If that's the case then you'll need to whitelist the API server's IP address instead.
Both the server running PM and the server running the website with sessionkey login are behind Cloudflare.

That site you linked did give me the IP's from Cloudflare, but neither IP addresses are what's listed in the error log for the Failed API attempts.

It's listing the website servers in a format I don't recognize (xxxx:xxxx:xx:xxxx:: xx) with only the last part of the normal IP as it is, then (proxy xxx.xxx.xxx.xx) but even those proxy IP's do not match what the whois shows for Cloudflare. The first 3 #'s of the proxy IP's are all the same and the 4th part of the IP addresses are different.

When it failed for me, it displayed the (xxxx:xxxx:xx:xxxx:: xx) address mentioned above, so I put that in and it worked for me. But at that same time someone messaged me they couldn't log in, so I just removed all IP's and turned whitelisting off since people were playing at the time.

Next time no one is one I guess I'll throw that (xxxx:xxxx:xx:xxxx:: xx) back in the whitelist or the actual servers IP address (which has the same last 2 numbers) and give that a shot. It could be that I actually had it working, since it worked for me, and the guy was hit with the error before I had input the (xxxx:xxxx:xx:xxxx:: xx) address in there.
Kent Briggs
Site Admin
Posts: 5878
Joined: Wed Mar 19, 2008 8:47 pm

Re: API Whitelist & SessionKey Logins

Post by Kent Briggs »

Tuck Fheman wrote: Mon May 02, 2022 4:49 pm It's listing the website servers in a format I don't recognize (xxxx:xxxx:xx:xxxx:: xx)
That's a 128-bit IPv6 address. The world is running out of "normal" 32-bit IPv4 addresses (so we've been told for many years now).
When it failed for me, it displayed the (xxxx:xxxx:xx:xxxx:: xx) address mentioned above, so I put that in and it worked for me. But at that same time someone messaged me they couldn't log in, so I just removed all IP's and turned whitelisting off since people were playing at the time.
The API whitelist shouldn't affect player logins.
Tuck Fheman
Posts: 213
Joined: Tue Jul 04, 2017 6:44 am

Re: API Whitelist & SessionKey Logins

Post by Tuck Fheman »

Kent Briggs wrote: Mon May 02, 2022 4:59 pm The API whitelist shouldn't affect player logins.
Ok great, that was my main concern, thanks!
Post Reply