![](https://hackernoon.com/hn-images/1*GUAiXkIT4Sf53jS3xUVx-w.jpeg)

> The best way dealing with the un-welcome people is kicking him out of your party. The best way dealing with un-welcome IPs is to BLACK LIST.

Background about today, an APP service running on Node.js server which included a static HTML website and API service. We got few un-welcome IPs list on hand and my boss told me“Peter, black list them.”.

I love Node.js and Express, the design of middleware speedups I get the job done and leaving office early to have a Friday night.

#### The problem is being broken down to three parts:

1.  Define blacklist IP
2.  Geting client IP
3.  Blocking Client IP, if it is in the blacklist

Extracting Client ID in Express.js is super easy, **_Router_** and **_req_** are tools which accelerating to extract all the client information which included Header, Cookies, Post Body, Get URL Parameters etc.

### Define blacklist IP

_Putting unwelcome IPs in an array, which will be used in middleware to check where the router is going to direct._

**var BLACKLIST =\['192.0.0.1'\];  
//better to store as an String in process.env.BLACKLIST**

### Fetch Client IP

_Express provide a super friendly_ **_req_** _to fetch the client IP within few line of code._

> **_req.connection.remoteAddress_** return the IP, could be ipv4 or ipv6.

var getClientIp = function(req) {  
  **_var ipAddress = req.connection.remoteAddress;_**

if (!ipAddress) {  
    return '';  
  }

// convert from "::ffff:192.0.0.1"  to "192.0.0.1"  
  **_if (ipAddress.substr(0, 7) == "::ffff:") {  
    ipAddress = ipAddress.substr(7)  
  }_**

return ipAddress;  
};

#### Blocking Client IP, if it is in the blacklist

_Add an USER BLOCKING middleware function(req, res, next) inside app.use( ), this middleware function will be executed for every request to the app. Like a filter which let the right IPs to go through._

app.use(function(req, res, next) {  
  var ipAddress = getClientIp(req);

if(**BLACKLIST**.indexOf(ipAddress) !== -1){  
    next();  
  } else {  
    res.send(ipAddress + ' IP is not in whiteList')  
  }  
});

### Putting all together

It is an example of putting above 3 parts together in a Express.js framework. To modify one which fit your BlackList IPs, go and push your IPs in BLACKLIST Array and they will never ever access the service.

var express = require(‘express’)   
var app = express()  
    
// Part1, defining blacklist  
**var BLACKLIST =\['192.0.0.1'\];**

// Part2, Geting client IP  
**var getClientIp = function(req) {  
  var ipAddress = req.connection.remoteAddress;**

**if (!ipAddress) {  
    return '';  
  }**

**// convert from "::ffff:192.0.0.1"  to "192.0.0.1"  
  if (ipAddress.substr(0, 7) == "::ffff:") {  
    ipAddress = ipAddress.substr(7)  
  }**

**return ipAddress;  
};**

//Part3, Blocking Client IP, if it is in the blacklist  
**app.use(function(req, res, next) {  
  var ipAddress = getClientIp(req);**

  **if(BLACKLIST.indexOf(ipAddress) === -1){  
    next();  
  } else {  
    res.send(ipAddress + ' IP is not in whiteList')  
  }  
});**

app.get(‘/’, function (req, res) {  
   res.send(‘Hello World!’)  
})

#Thanks to [Pierre Chamberlain](https://medium.com/@_bigp), corrected the mistake **BLACKLIST.indexOf(ipAddress) === -1**

### Remark

1.  req.headers\[‘x-forwarded-for’\]
2.  req.connection.remoteAddress
3.  req.connection.socket.remoteAddress

**_1) x-forwarded-for_**: client, proxy1, proxy2, proxy3  
_If you are running behind a proxy like NGiNX or what have you, only then you should check for ‘x-forwarded-for’_ [_(by alessioalex)_](http://stackoverflow.com/questions/10849687/express-js-how-to-get-remote-client-address)

**_2) req.connection.remoteAddress  
_**Default server is listening to IPv6 connections and the IPV6\_V6ONLY flag isn’t set with the result that **_IPv4 connections are processed by the same socket_**. [_(by Wladimir Palant)_](http://stackoverflow.com/questions/24896386/request-connection-remoteaddress-now-prefixed-in-ffff-in-node-js)

**_3) req.connection.socket.remoteAddress  
_**On https, **_req.connection.remoteAddress_** is undefined, but **_req.connection.socket.remoteAddress_** does work[(by Mathijs Kwik)](http://stackoverflow.com/questions/5999379/how-to-find-out-the-remote-address-in-node-js-if-it-is-https-request)

#### You may also like:

[\[Javascript\] override Object.constructor( )](https://hackernoon.com/javascript-cracking-nuts-override-object-constructor-48a73628b7e6#.22qqwdp14)  
[\[Expressjs\] override res.send](https://hackernoon.com/nodejs-express-js-manipulating-response-before-going-back-to-user-5e96ad8d84ca#.zf7rx3el8)

Like this story? It is helpful to others? It helps me know if you’d like to see write more about his topic and helps people see the story, **_when tap the heart below_**.

#### Reference:

Git:[  
https://github.com/wahengchang/javascript-must-know/tree/master/middleware\_blockIp](https://github.com/wahengchang/javascript-must-know/tree/master/middleware_blockIp)

express-ipfilter  
[https://www.npmjs.com/package/express-ipfilter](https://www.npmjs.com/package/express-ipfilter)

expressjs.com  
[http://expressjs.com/en/api.html](http://expressjs.com/en/api.html)

stackoverflow  
[http://stackoverflow.com/questions/10849687/express-js-how-to-get-remote-client-address](http://stackoverflow.com/questions/10849687/express-js-how-to-get-remote-client-address)  
[http://stackoverflow.com/questions/24896386/request-connection-remoteaddress-now-prefixed-in-ffff-in-node-js](http://stackoverflow.com/questions/24896386/request-connection-remoteaddress-now-prefixed-in-ffff-in-node-js)  
[http://stackoverflow.com/questions/5999379/how-to-find-out-the-remote-address-in-node-js-if-it-is-https-request](http://stackoverflow.com/questions/5999379/how-to-find-out-the-remote-address-in-node-js-if-it-is-https-request)

Fetch

Super

Too Long; Didn't Read

Cassandra Forward a free Cassandra-focused community event

[ Expressjs ] Cracking nuts, put the client IPs to BlackList

Too Long; Didn't Read

Companies Mentioned

@peterchang_82818

RELATED STORIES