I am a developer currently trying to implement the SIM method on a server with high security settings. Because of this I need to know a range or list of IP addresses I can expect authorize.net to use when posting back transaction results using the relay response.
Is there anyone from authorize.net that can give me the ips I need. I imagine I can't be the only one that has had this problem, but I have failed to find anything for sure. The best I could find searching online is [ authorize-net.allowed-ip=64.94.118.33/255.255.255.0 ].
I tried calling authroize.net and they told me to send an email because they do not have this information. I sent an email yesterday and will hopefully hear back soon today.
Thanks
01-12-2010 06:56 AM
Unfortunately Authorize.net has failed to respond to my email sent about this issue in less than 24 hours. They clearly state...
"..Customer Support will respond to your inquiry within 24 hours."
and
"Please allow 24 hours for a response."
This is the second email I have sent in hoping for a reply. I never received a response to the first email I had sent.
01-12-2010 01:08 PM
We do not publish our IP range. Instead we recommend that you use our domain name as our IP range is not static and may change at any time without notice.
Thank you,
Elaine
01-14-2010 09:23 AM
Elaine -
Thank you for the response, but your response does not make sense to me. Are you saying you want our firewalls to do a reverse DNS on each request, then allow it if it's from authorize.net or *.authorize.net? And if so, is that even possible?
Right now we are being hit by 64.94.119.5 which doesn't even exist in DNS.
nslookup 64.94.119.5
Server: 128.101.101.101
Address: 128.101.101.101#53
** server can't find 5.119.94.64.in-addr.arpa.: NXDOMAIN
01-14-2010 11:27 AM
There is a way to control this without IP restriction. Make the return URL for the API to post to stored within your account and not in the script and attach a get code to the end like ?key=sey4hd56dh4567h568 and have your script detect if $_GET['key'] is set and if so if it matches the one you have as the authroized key and if not then just die(). Then people can post whatever they want to your script and only authorize.net's API will get through to your actual functions for storing a valid payment.
02-13-2013 05:43 AM
I had this problem too.
I block unauthorized users with the .htaccess script, so Idon't think the method that checks $_GET for a key would work.
You can find out the (albeit temporary) ip address by checking your access.log to see which ip address authorize.net comes in from after a transaction. Then just add that to your .htaccess ip exceptions to allow in without a username/password.
You'll have to monitor if/when the ip address changes.
For me, the access log is located in /var/log/apache2/access.log. It might be in other log files as well.
01-15-2014 12:18 PM