Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: A simple IP address API (ipinfo.io)
241 points by zvanness on Feb 14, 2014 | hide | past | favorite | 117 comments



I use https://freegeoip.net/ which gives you output in JSON, CSV or XML and has a limit of 10,000 requests per hour. The limit of 1,000 per day on this service is too low.


I also like how freegeoip is open source so you can run your own instance: https://github.com/fiorix/freegeoip


Out of curiosity, what are you doing that requires that many IP lookups?


Tracking visitors/customers comes to mind. Definitely not uncommon to have 1000 uniques a day :)


I imagine caching netblocks rather than running individual IP lookups would cut down on the load quite a bit.


If you are geolocating, I would suggest spending $370 to buy the MaxMind GeoIPCity database. There's an nginx module for it and any major language will have code to run queries against it.

http://www.maxmind.com/en/city http://nginx.org/en/docs/http/ngx_http_geoip_module.html


So something along the lines of tracking incoming requests, then doing a DNS lookup on the incoming IP? Isn't that something that something like Google Analytics could do for you? And in that case, would this be more for people who are avoiding GA?


Google Analytics can give you this data in the reports but won't allow you to get access to it in real time in your application.

Imagine you want to redirect users to the correct country page in your site. In this case you need to get access to the ip geolocation in real time. GA won't help you there.


If your goal is geo-redirection then a 3rd party service is usually a bad choice (speed + downtime). An memory geo-ip database is the best way to go - but this is usually also part of what you pay for when you buy the non-free version


Maxmind have a free database (GeoLite2) that's updated weekly. Here's an overview of the accuracy per country:

http://www.maxmind.com/en/geolite_city_accuracy

It's less accurate than their commercial offering, but good enough in many cases. For ease of use, there's a nice C API (https://github.com/maxmind/geoip-api-c) and wrappers like pygeoip for Python.


The problem is if you totally max out freogeoip it doesn't scale (or let you pay) for more requests.


But freegeoip's limit of 10,000 requests per hour is better than ipinfo's $200/mo plan (6,667/hr). Plus there are no limits if you run freegeoip on your own server.


Throws a SSL certificate error on latest Chrome (32.0.1700.107) W7 64


Looks like no immediate fix either, which is a shame as I wanted to use it client side but (a) need SSL and (b) can't ignore Chrome (it fails on Chrome for Android latest too)..

https://github.com/fiorix/freegeoip/issues/32


This database does not know my ip address. I assume then they use a free database then so you should pay nothing either...

Anyway, this 'quality' should be free anyway ;-)


I think pretty much all pay-versions aren't 100% accurate either, from my experiences anyway.


He's not saying the paid one's are 100% accurate (obviously they aren't), but they are better.


Right, but the point is that just because it doesn't show up doesn't mean the paid is better.

Why not check both rather than just one?


Thanks for that! I'm building a small script which may evolve in a service and I was retrieving IP addresses using curl, this is way more clean. Thanks!


Yeah that's also a great service. It doesn't include the network organization or hostname though, which you may or may not need.


How often is the AS info updated? What source do you use, and how do you handle multi-homed IP addresses?


IP addresses should only be announced by one ASN at a time (regardless if that AS is multihomed or singlehomed). If that's not the case that's usually a hint of prefix hijacking.


It's also more accurate, ipinfo.io thinks I'm in Enfield whereas freegeoip.net accurately identifies that I'm in London.


Interesting - freegeoip.net thinks I'm about 30km from Brisbane in the opposite direction to the side I'm on.

ipinfo.io thinks I'm in Brisbane, which is slightly more accurate (although also less specific), although still about 25km out.


/waves at another Brisbanite on HN

It gets my Location wrongish here on the Gold Coast, but not too far out. We have huge suburbs though, all of the GeoIP DB's seem to think im in the wrong suburb, despite having a static IP on Telstra cable.


Heh, thinks I'm in Romford (east London), even though I'm in west London!


yeah, ipinfo thinks I'm about an hour east on the other side of Atlanta.


freegeoip also has https support for free.

I use it for my bitcoin client: https://github.com/bit-c/bitc


If you are looking to build something like this, check out MaxMind @ http://www.maxmind.com/en/city


I just finished integrating geo IP lookups into an app I'm working on, using a library that queries a number of the free IP lookup services out there. Something that I've learned from this is just how hard it is to stay on top of IP geolocations. Most of the free services use incomplete or outdated databases, and if you want decent accuracy you probably need to opt for a paid package from a company who has the resources to track IP address location changes, and keep their database up to date.

So, I'm wondering, does ipinfo.io maintain their own database, or do they sub-license someone else's database? If they're maintaining their own, how good are they at keeping it valid and updated and what is the coverage like?


I was trying to figure out which database they were using as well. I've checked their results for my IP address against the results from MaxMind's GeoIP City and GeoIP2 City service and these return the closet results related to the Latitude/Longitude displayed on ipinfo.io, it also has a matching zip code. The network name differs since I'm on U-Verse but I think they are just displaying the company name from the ASN. I also checked Quova/Neustar and the results are vastly different.


It uses one of the free databases that are available.

Ip address 200.7.52.1 is a good way to check these services. This should position to the island of Sint Maarten. A serious offering would know that. The free ones always set the position to Curacao. Just about 900 NM away...


This does it correctly:

http://myip.ms/info/whois/200.7.52.1


This is the first service I tried in 8 years which returned correctly the location of an IP that i know physically where it is.


Guys/gals,

I posted this for a friend: https://twitter.com/coderholic

He's the guy behind Lighbox.com which Facebook acquired, really awesome guy!

I guess he'll be wondering where all the sudden traffic is coming in from!


Thanks Zach! :)


You're welcome Ben! :)


This looks very well done and useful.

Usually though I just use http://www.moanmyip.com for the weirdness of it. Or pretty much any search engine includes that up top when you search for "ip address".


I use http://ip-api.com/ and I find it works great (docs: http://ip-api.com/docs/).

It provides response formats: xml, json, csv, newline separated, serialized php. And enforce a limit of 240 requests per minute (that's 14,400 per hour for the lazy).

Fun fact, if you're running tor (tor-0.2.4.17 as proxy not the browser) you'll see the tor exit node in "IP:" and your actual ip i "Real IP:", thanks to gdns' EDNS (https://gdns.re/edns-demo/)


Fun fact: if you are running tor and you see the tor exit node and your IP you are doing it wrong! You are leaking DNS requests. Tor goes to great lengths informing you that something is wrong in the logs. This is not thanks to edns, it is thanks to your inability to use the software correctly. Please see:

https://trac.torproject.org/projects/tor/wiki/doc/Preventing...


>it is thanks to your inability to use the software correctly

I disagree, but have you said it is down to my inability to explain what the problem is, then I agree.

I'm aware of the DNS leaks, and obviously wasn't clear enough and failed to explain what the problem was.

The leak only happens when you run the tor proxy daemon, and your own browser with the appropriate proxy settings.

It's down to the way Firefox, uses the defined proxy for the initial DNS and HTTP requests, but then bypasses it when doing DNS lookups for JS within the initial page loaded.

It doesn't leak DNS lookups made by JS scripts if you use the tor version that includes a mod-Firefox browser.


They don't support SSL though.


Is there an API for this?


the geo ip API can be found at http://ip-api.com/docs/home and as for the geo-DNS check https://gdns.re/


I don't mean to be a huge jerk - I think the service is cool - but IPv4 exhaustion is months away! All of the major GeoIP vendors have IPv6 support. It's simultaneously saddening and frustrating that it might as well not exist.


For ARIN (where most of us will be getting our IPs) projected runout (assuming no "bank run") is closer to a year out[1]

Now, people /have/ been predicting some crazy run on IPv4 for some time now, I was pretty certain it was going to happen in 2011 and while a run is still quite possible, it hasn't happened yet, and there are a bunch of outstanding /8s that could very well be returned; the DoD has been returning blocks, and they still have a bunch more they could return. Based on my own previous expectation that runout was going to occur in 2011, I'd be surprised if we run out before 2015.

Now, if you are dealing with network admins and infrastructure types? IPv6 is very important. I give my customers an IPv6 address by default, and will give a /64 upon request. It's pretty important for the sort of people I have as customers.

You see, we're the ones who have to deal with this 'nat hell' - and make no mistake about it, it will be hellish.

However, from a business perspective? If you are going after business types? The internet is still entirely IPv4.

[1]http://www.potaroo.net/tools/ipv4/index.html


This is interesting. IP address databases are typically bought and sold for figures in the thousands. This service presumably purchases one or some of these and attempts to make up the cost by providing it on an as-needed basis.

I wonder if there are any additional data sources that can just be bought wholesale and sold in pieces? Think of all the applications that needed very precise IP address data but couldn't afford the whole dataset. They can now exist!

I could also be wrong and this isn't at all the approach this service takes...


> IP address databases are typically bought and sold for figures in the thousands.

And presumably, therefore, issued under licenses that forbid you from starting a query service? I'm pretty sure most of these IP data providers will offer their own on-demand query services


Maxmind's is free to City/Country level, $90/month for a site license. http://www.maxmind.com/en/geolocation_landing


That's for your own use however, the license says:

Access to the data is restricted to employees and contractors of the license holder. With contractors, the license holder is liable should the contractors violate the terms of the agreement.

Data may not be stored in a way that is publicly accessible.

If you wanted to build a public server with that, you would have to use their per-usage API according to their FAQ: http://www.maxmind.com/en/faq#lookuptool


You can also use their free databases http://dev.maxmind.com/geoip/geoip2/geolite2/ under the Creative Commons Attribution-ShareAlike 3.0 Unported License


Correct, but the site isn't following the terms of that license.


This really looks like maxmind city level, so... until we get confirmation from the dev on what db it is, assume this service can disappear at any moment due to license issues.


Maxmind.com to me is the most accurate and best priced. Did my research a few weeks ago.


About 8 miles less accurate than MaxMind -- 11 miles wrong vs. Maxmind's 3. I'm always curious: what is the provenance of services like this one / MaxMind — my ISP? Some past inadvertant GPS-enabled requests that leak out?


Why would anyone pay for this? Maxmind is the industry standard and way cheaper.


And presumably this service is just repackaging such an existing system. My old company had a tool to figure our what widely used geo db was used for these services (to properly judge it's value), but I no longer have access to this tool.


Any plans for IPv6 support?


Absolutely!


I'm on a campus network that reverse proxies all HTTP traffic. The service shows my internal 10.x.x.x IP. Just a heads-up that you might want to fix your handling of X-Forwarded-For headers.


Yeah. Should exclude any of these: 127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16 and the lesser known 172.16.0.0/12

Also, I wonder if it handles X-Forwarded-For headers that contain multiple IP addresses, because there are multiple levels of proxying taking place.

Also. No IPv6? How boring.


Full list of "special" addresses: http://tools.ietf.org/search/rfc3330


Or I guess this is the most recent version: http://tools.ietf.org/search/rfc6890


Thanks for reporting! You should see that we correctly detect this as a bogon, but we should definitely be pulling the correct IP from the headers. I'll look into this.

    $ curl ipinfo.io/10.0.0.1
    {
      "ip": "10.0.0.1",
      "hostname": "No Hostname",
      "loc": "",
      "bogon": true
    }


That's a normal / forward proxy (transparent most likely)


You're absolutely right. I've being setting up too many nginx instances lately and the term stuck in my head...


I was going to say that there was a small typo when trying out 127.0.0.1:

"127.0.0.1 is a bogon or private IP address that should not appear on the Internet."

But then I learned that "bogon' is actually a word:

http://en.wikipedia.org/wiki/Bogon_filtering

And re-reading the sentence, I'm not sure what "bogon" would be a typo for anyway..."Vogon"? Anyway, good handling of an edge/nonsense case!


Hmm. For me it was off by 20 miles. Not bad considering that most other GeoIP services get my location off by several hundred miles.

I'll probably be using this. Thanks!


"city": null, "region": null, "country": "US"

At least it got the US part right.


What's your IP?


Recommendation: I have the feeling your sales would be significantly boosted if you added some sort of tiered service plans on top of your free tier, instead of requiring the frictionful process of reaching out to a sales address.


Did you see http://ipinfo.io/pricing? What changes would you suggest?


Sorry, I somehow missed that site from reading your docs. I'm willing to chalk this up to my own mistake rather than bad design on your part.


Security (HTTPS) as a paid feature?


Noticed this:

JSONP support: http://ipinfo.io/?callback=test

Paid JSONP support: https://ipinfo.io/?callback=test


Bonus points for checking that the callback function is callable before calling it!


In a shell script you can do:

    MYIP="`curl -s http://ipinfo.io/ip`"
http://myip.enix.org/REMOTE_ADDR is similar.


My "goto" for shell scripts is http://echoip.org/, though I recently setup my own such script as well. It's a one-liner in PHP, though having some json output alternatives would be useful as well.


http://ip-api.com/ provides correct details. http://ipinfo.io/ showing that I am in US.


This one correctly detected my city, something the others couldn't do.

Thanks.


Doesn't support IPv6 :)


A strange site, it doesn't support IP at all: http://ip6.nl/#!ipinfo.io

It merely does legacy IP, so what's the point?


Has anyone done research on quality of geo DB? I've personally prefer Maxmind because of the format of the DB, but Netacuity seemed to be giving more up to date results.


I created a Bash script using this service: https://github.com/niklasberglund/ipinfo


Many free IP info APIs: https://www.mashape.com/search?query=ip+info


In my case it was off by 55 miles so the address, lat/lng and postcode were wrong but other than that ok (my ISP is Andrews and Arnold).

Why not just use Maxmind though?


http://ip-api.com/ is also a nice alternative, with JSON, CSV, XML, and others.


If the hostname is unknown, the json hostname property should probably be null instead of the string "No hostname"


It incorrectly states my IP is a Tor exit node when in fact it's just a relay.

I'll go ahead and file an issue with the github lib.


zvanness, would you be interested in also implementing this;

    http://whatsmyresolver.stdlib.net/
    curl -L  http://whatsmyresolver.stdlib.net/resolver/
? It should be relatively easy to add (happy to explain how it works), and I'm personally longing to turn off my service!


Sorry to intercept, but how does it work?


My first guess would be that the domain uses a custom nameserver that logs all dns queries and serves back a different IP to each user. Then when the http request comes in to that specific IP, it can check the dns logs to identify the resolver.

But surely.. that would either require (a) a massive IP space (i guess that works if the site is IPv6 only), or (b) assuming a pretty short time between dns lookup and http request, and hence possibly false results if the dns lookup is cached somewhere and the IP has since been reused

I'd love to know if there's a better way of implementing this.


A better way would be to hand each client a unique hostname (sessionidhere.whatsmyresolver.stdlib.net) and match that dns query to the http client? For example as an ajax call from the main website.


curl $(</dev/urandom tr -dc a-z|head -c32).mydns.re


This believes that I am in London. I am most decidedly not in London.

FreeGeoIP thinks I'm in Edinburgh, which is only slightly better.


This believes that I am in Colchester, FreeGeoIP can say that I am just in the UK, Google in incognito mode thinks that I am in Sheffield. Correct answer: Manchester :)


And this believes I'm in Liverpool; FreeGeoIP thinks I'm in London, but I'm in Sussex.


You're in ... Newcastle?


"postal" and "loc" are a bit off in my case. My true location is about 6km away from "loc".


You should probably add -> "add_header Strict-Transport-Security max-age=31536000;" to your nginx config.


Bad idea. Then anyone who accesses it over HTTPS won't be able to use HTTP anymore and HTTPS requires a paid plan of some sort.

Ideally they should be on separate domains, at which point HSTS would be more suited.


Paid plan for API access I guess - hoping one wont use the same environment for both. I meant this for the stripe frame which kicks in, cant really trust an https frame that has a start from http.


What's the underlying GeoIP database?


You have a typo on the /developers page. It says client-sde I'm assuming it should say client-side.


I'm getting latitude = 60.0000, longitude = 100.0000 for my IP. Which is about 1000 km away from me.


Are you placing all virgin media uk customers in London? I'm in belfast.


As a customer of AT&T in the United States, I often get put in Chiacago or Kansas. Go figure.


I just like the fact that this could have been called "iPapi".


here is a free, simple, and accurate geolocation service: http://free-geolocation.appspot.com/


Nice... can we have a trailing newline on the JSON?


Complete with completely wrong geolocation...


What's your IP, and (roughly) correct location?


You just got yourself a customer!


my-ip.heroku.com is a very simple alternative.


awesome! what technology do you use?


Ingredients: Node, Connect, Express on Nginx. *

* Courtesy of Wappalyzer


Yeah, exactly that! I'll have to check out Wappalyzer.

The code is written in coffeescript, and some key npm modules are:

- https://github.com/caolan/async

- https://github.com/brycebaril/node-tokenthrottle-redis

- https://github.com/rs/node-netmask

I was at one point using https://github.com/tjfontaine/node-dns for the hostname lookups, but it was significantly slower that the built in dns module, so I ended up wrapping that with my own timeout logic.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: