API usage by external users #1154
Comments
|
I counted API requests made from each IP addresses to learn that all go-api requests are made from the same IP address
I investigated further by making some GET requests for sample logs. There are client details which the current analytics system captures. The screenshots below are direct API hits made from my laptop in The Netherlands.
There appears to be some masking going on which removes my info before the request reaches the Django app. @batpad my guess is this is happening either in the docker network layer or the load balancer (as you suggested) Alternatively, a less graceful approach is to explicitly tag each call made from the go-frontend in |
|
FYI previous ticket #572 (comment) speaks to what logs are available on the Django servers - I don't have access to the IM mailbox anymore to check, but I'm pretty sure we managed to get a list of IP addresses from those logs at that time (Feb 2020) - the problem we had was that we couldn't differentiate between API calls from the user's browser (i.e. from using the site) vs API calls via other means. |
|
@gulfaraz do we know exactly where these logs are derived from? This would make sense for logs that were being emitted by the Django App. However, in these cases where there's something masking the originating IP address there "should" always be an X-Forwarded-For header added that should contain the real IP address. From rough reading online, it seems like the Azure logs should use the X-Forwarded-For header to determine the actual Client IP when available, but of course, this is not working for us some-how. This would take a bit more investigation - it could possibly be one of a few different things:
If the logs above are parsing the access logs generated by the Not 100% sure of the best way to debug this - I guess a starting point would be knowing exactly where that chart is trying to read the Client IP from, and work backwards from there. |
Azure uses the API requests' IP address to find
Looks like the server drops the
Azure may be masking the IP address. I suggest disabling any masking on Azure's side before trying the above actions. I tried to disable masking using these steps but I don't seem to have the required permissions. |
|
@gulfaraz - this is some solid digging into this. It would be nice to rule out Azure masking the IP address. It definitely seems like these logs are all coming from Azure and it's not parsing logs being emitted by the django app, so I don't think this is a django issue. The Azure masking seems the most likely to me :( - if we can definitely rule out Azure masking the IP, then am happy to get on a call or so to try and delve into this more - definitely a mystery I'm quite interested in solving as well, thanks much for digging into this. |
#1026 implementation allows to track API usage on each endpoints. The dashboard tracks also the api calls made by the frontend, which makes the external API usage not trackable.
We need also the ability to track only the external API calls.
The text was updated successfully, but these errors were encountered: