1. 69
  1.  

  2. 23

    Always vaguely annoyed when Cloudflare takes over more stuff, but I can understand not wanting to deal with all this bullshit when you’re just one person. If he reads this, thanks for the service :)

    Not all of the interactions were positive, however. One CISO of a US state emailed me and threatened all kinds of legal action claming that icanhazip.com was involved in a malware infection in his state’s computer systems. I tried repeatedly to explain how the site worked and that the malware authors were calling out to my site and I was powerless to stop it.

    Shades of when CentOS hacked Oklahoma City’s website.

    1. 4

      Always vaguely annoyed when Cloudflare takes over more stuff

      I’m genuinely curious as to why? Cloudflare seems at least so far the least “evil” of large internet companies.

      1. 7

        Cloudflare seems at least so far the least “evil” of large internet companies.

        Still, I would prefer it to be more decentralized. Lots of Internet traffic is already going through CF.

        1. 1

          The protocols that the Internet relies on have an inherent centralising effect on Internet services. While a decentralised Internet would be nice, I don’t know of any good proposals for making this happen while also solving the numerous problems to do with how to share power and control in a decentralised manner while still maintaining efficiency and functionality.

          inb4 blockchain :eyeroll:

        2. 2

          Unless cloudflare turns out to be working closely with no such agency. Then the decentralization crowd will be vindicated and we will still need to solve all the problems cloudflare solves for us.

          1. 3

            Of course the decentralisation crowd solve them right now instead of waiting.

            There’s always someone in the peanut gallery who’s vindicated, because the peanut gallery is rich in opinions. For any opinion, there’s someone who holds it, doesn’t volunteer or otherwise act on it, is vindicated on reddit/hn/…/here if something bad happens or can be alleged to happen, and blames the people who did volunteer.

            Blaming those who volunteer is a shameful thing to do IMNSHO.

        3. 3

          It looks like the site (though still managed by post author) migrated entirely to Cloudflare’s systems in 2020 or so.

        4. 14

          You can implement this yourself in nginx like this:

              location /ip {
                      add_header Content-Type "application/json";
                      return 200 '{"host":"$server_name","ip":"$remote_addr","port":"$remote_port","server_ip":"$server_addr","server_port":"$server_port"}\n';
              }
          

          and you will get back a little JSON with everything you want. For 1-off manual requests it doesn’t matter what you use, but if you are writing code then just host it yourself, it’s not difficult.

          1. 3

            I don’t know much about nginx, but isn’t that essentially the very first optimization step taken?

            I migrated to nginx and set up nginx to answer the requests by itself and removed the Python scripts.

            1. 12

              Yes. I think the offer is that you can self-host this with just a copy and paste if you decide you don’t want to depend on icanhazip.

              1. 15

                True, decentralize the “find my IP” industry!

                1. 3

                  /.well-known/my-ip

                  Let’s register it!

                  1. 5

                    But is it really decentralized without a white paper, an IETF working group draft, and endless discussions on whether the format should be JSON or XML (with s-expression zealots sniping from the sidelines)?

                    1. 2

                      No, but people might actually use it.

                      1. 2

                        So there ARE engineers who given a choice will opt for XML? I KNEW IT!!!

                        1. 5

                          Probably just me, to be honest.

                          (Look, I’m not a fan of XML, but there are so many of the issues people complain about with JSON that are simply solved with XML. Like types.)

                          1. 1

                            Go ships with type-safe JSON parsing: https://blog.golang.org/json

                          2. 3

                            Of course. Right tool for the job and all that.

                            Contrary to popular rhetoric, XML ad JSON are not competitors and solve wildly different problems. Each have their place.

                          3. 1

                            That’s what content negotiation is for. If unspecified, text/plain output with just the IP address.

                    2. 8

                      Yes, but the author didn’t share how that was done and I did. I’m not saying you shouldn’t or can’t use icanhazip, I’m saying if you are writing code to figure out an external address, you should not use icanhazip and friends, you should copy and paste this little snippet into your NGINX (or do similar in whatever server you are using) and host it yourself. It’s not difficult to do. If everyone bothered to do this, then this guy would have had way less heartache over the past decade+.

                      icanhazip and friends are great for 1-off manual requests, but relying on it and other free services in deployed code that are trivial to implement yourself are likely bad ideas. Here, this guy worked HARD to make all of our lives easier, and for that I’m grateful, but we should have been doing the right thing and hosted stuff like this ourselves if we were doing anything other than manual 1 request a day like usage against it.

                      1. 2

                        With the caveat that this must be deployed separately from the existing infra, on a public facing network and expose only the public facing interface. Otherwise, the public IP will actually be the internal one.

                        1. 2

                          Well, like all things.. complications arise! We deploy it and don’t take any of these precautions. I want the address the client uses to connect TO ME, which is usually the public IP.

                          Your use case may be different and perhaps your caveats are warranted. You are never guaranteed a public IP, you are just guaranteed the IP the client used to connect. Usually they are the same thing, but not always, and the IP used to connect to google.com might be different still, even if you get back a public IP, depending on the network the client is on, etc. But this is all mostly true of icanhzip and friends also.

                        2. 1

                          I agree 100%.

                      2. 1

                        I would definitely put some tiny level of obfuscation in this just to mitigate the risk that some miscreant botnet author finds and uses my copy.

                        1. 2

                          That’s certainly not a bad idea. Almost certainly doesn’t help at all if your code is open-sourced.

                          1. 2

                            Yeah I was thinking of corporate contexts where it either wouldn’t be, or it would be trivial to add a very small patch to the version that I’m running.

                      3. 8

                        Lovely story. I really appreciate all that Cloudflare has been giving back to the open source community (particularly with Rust) and this is another instance of that positive culture.

                        1. 7

                          I’ve always used whatismyip.[org|com] for my personal little things and I never knew about this site, and it has billions of requests per day. That’s quite insane.

                          1. 5

                            That’s likely because unlike whatismyip, this webpage (if you can call it that) is far more machine-readable. Whatismyip serves up a big, nicely-formatted, human-readable HTML page that happens to have your IP address somewhere inside it. Icanhazip serves a text string containing your IP address, that’s it.

                            It’s not surprising that this site ended up being attractive for botnets, malware, and irresponsibly-built software that needed to check the IP address of a machine.

                            EDIT: I see that whatismyip has an API, but it looks like you have to pay for it, which obviously makes it less attractive.

                            1. 2

                              As the author mentioned, I wonder how many of these requests are from automation (i.e. some script written by a “devop” to manage their server or a malware bot)

                            2. 5

                              You can get your IP using DNS instead of HTTP

                              dig +short -4 A myip.opendns.com @resolver1.opendns.com
                              

                              For IPv6

                              dig +short -6 AAAA myip.opendns.com @resolver1.ipv6-sandbox.opendns.com
                              
                              1. 4

                                Cheers to the guy for providing a service for so many years, and cheers to Cloudflare for adopting it, but…

                                It seems like every problem that we (people doing computing/IT/webshit) have is because of centralization. Every single service has to be the only one of its kind, and has to handle the whole world’s traffic, as well as being a unique target for DDOS and other bad actors. And it seems like every proposed solution is to just double down, and make those centralized services bigger, more complex, more robust. Could we, instead, just not do that?

                                1. 2

                                  I have always used curl ifconfig.me. Easy to remember thanks to the name resemblance with a command utility.

                                  1. 4

                                    For sure, for 1-off manual requests, I don’t think it matters what you use. But I argue that if you are writing code against it, or putting any load against it at all, you should just host it yourself. and upthread I say how in NGINX, it’s super easy.