堆栈内存溢出
  简体   繁体   English

如何在 AWS ELB 后面获取客户端 IP?

[英]How to get client IP behind an AWS ELB?

 原文  2013-08-31 10:46:05       amazon-web-services/ iptables/ amazon-elb

问题描述

With a webserver (apache or nginx) I am able to find the x-forwarded-for header and find the client IP rather than the ELB's IP.使用网络服务器(apache 或 nginx),我可以找到x-forwarded-for标头并找到客户端 IP 而不是 ELB 的 IP。

Can I do the same thing using IPTables so that I am able to block certain IP addresses?我可以使用IPTables做同样的事情,以便我能够阻止某些 IP 地址吗?

I can do this at the webserver level.我可以在网络服务器级别执行此操作。 However, I think this is a bit inefficient and I am hoping I can achieve this with IP Tables or something similar?但是,我认为这有点低效,我希望我可以使用 IP 表或类似的东西来实现这一点?

2 个解决方案

解决方案1
 13  2013-09-03 07:49:00

Since July 30th ELB supports Proxy Protocol .自 7 月 30 日起,ELB 支持代理协议 As stated in the end of this thread in the AWS forum :正如AWS 论坛该主题的结尾所述

Elastic Load Balancing (ELB) now supports Proxy Protocol version 1. This feature allows you to identify the client's connection information when using TCP load balancing, providing additional insight into visitors to your applications. Elastic Load Balancing (ELB) 现在支持代理协议版本 1。此功能允许您在使用 TCP 负载平衡时识别客户端的连接信息,从而进一步了解应用程序的访问者。 Having this information can be useful for analyzing traffic logs, gathering connection statistics, troubleshooting, or managing whitelists of IP addresses.拥有此信息对于分析流量日志、收集连接统计信息、故障排除或管理 IP 地址的白名单非常有用。

You must enable Proxy Protocol in the ELB .您必须在 ELB 中启用代理协议

The developers guide has more information about Proxy Protocol. 开发人员指南有更多关于代理协议的信息。

解决方案2
 8 已采纳  2013-08-31 13:31:50

You can't do this with iptables, because iptables will only ever see the IP address of the elastic load balancer, since the ELB is what is establishing the connections to your instance.你不能用 iptables 做到这一点,因为 iptables 只会看到弹性负载均衡器的 IP 地址,因为 ELB 是建立到你的实例的连接。

Using the web server to block certain x-forwarded-for values isn't particularly inefficient, but if you want to control who can access your ELB by IP address, that can also be accomplished with the Security Group attached to the ELB.使用 Web 服务器阻止某些 x-forwarded-for 值的效率并不是特别低,但是如果您想通过 IP 地址控制谁可以访问您的 ELB,也可以通过附加到 ELB 的安全组来实现。

Update: Your comment is partially correct, because, at least as of now, ELB on EC2 "classic" does not support an inbound security group or network access control list, but ELB on VPC does.更新:您的评论部分正确,因为至少到目前为止,EC2“经典”上的 ELB 不支持入站安全组或网络访问控制列表,但 VPC 上的 ELB 支持。

Q: Can I configure a security group for the front-end of the Elastic Load Balancer? Q:弹性负载均衡前端可以配置安全组吗?

If you are using Amazon Virtual Private Cloud, you can configure security groups for the front-end of your Elastic Load Balancer.如果您使用的是 Amazon Virtual Private Cloud,则可以为 Elastic Load Balancer 的前端配置安全组。 http://aws.amazon.com/ec2/faqs/#ELB6 http://aws.amazon.com/ec2/faqs/#ELB6

Security groups are easiest to use when you need to allow a relatively small set of specific IP address ranges.当您需要允许一组相对较小的特定 IP 地址范围时,安全组最容易使用。 If you want to allow most but block a few, then a VPC Network Access Control List is the easier approach.如果您想允许大多数但阻止少数,那么VPC 网络访问控制列表是更简单的方法。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何获得客户端IP地址AWS Elb? - How to get client ip address aws elb? 当服务器位于 AWS ELB 之后时,ASP.NET Core MVC 应用程序如何获取客户端 IP 地址? - How can an ASP.NET Core MVC app get client IP address when server is behind AWS ELB? AWS ELB的背后:如何从“ netstat”中获取真实IP? - Behind AWS ELB : How to grab the Real IP from “netstat”? 确定Amazon ELB背后的客户端的IP地址 - Determine IP Address of Client Behind Amazon ELB AWS IP地址-如果EC2实例在ELB后面,是否需要? - AWS IP Addresses - Are they required if the EC2 instance is behind an ELB? 在 AWS ALB 后面的容器上获取​​客户端真实 IP - Get Client Real IP on Container Behind AWS ALB AWS ELB Apache 获取客户端 IP,避免 X-Forwarded-For 欺骗 - AWS ELB Apache Get Client IP, Avoid X-Forwarded-For Spoofing 如何查看在 AWS ELB 后面运行的 SSH 服务器的 SSH 客户端的真实 IP - How to see real IPs of SSH client of SSH servers running behind AWS ELB AWS ELB ip地址 - AWS ELB ip address ELB 不转发客户端 IP - ELB not forwarding client IP
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM