[英]How can I block all external IPs to endpoints behind AWS ELB?
OK - so I have a developer that does not want our REST endpoints to be accessible externally with the only access allowed is localhost and the internal network scheme. 好的-所以我有一个开发人员,不希望外部允许访问我们的REST端点,唯一允许的访问是localhost和内部网络方案。 Our internal network scheme is 10.10.xx
我们的内部网络方案是10.10.xx
The way we did this is with the < LocationMatch > switch in the .conf file as follows: 我们这样做的方法是使用.conf文件中的<LocationMatch>开关,如下所示:
<LocationMatch "/foo/bar/*">
Order deny,allow
Deny from all
Allow from 10.10
Allow from 127
</LocationMatch>
Now, the challenge we are having is that the AWS Load Balancer has an X-Forward-Host rule on it so all original source IPs and if I do Allow from 10 - obviously, will allow access to all endpoints externally because of this. 现在,我们面临的挑战是,AWS Load Balancer上具有X-Forward-Host规则,因此所有原始源IP以及如果我从10开始允许-很显然,因此将允许从外部访问所有端点。
As stated before, our internal IP is 10.10 so I can do allow from 10.10 and that would resolve it but if I make more regions then the network scheme could be 10.20.x. 如前所述,我们的内部IP是10.10,所以我可以允许从10.10开始,这样就可以解决它,但是如果我创建更多区域,则网络方案可能是10.20.x。 10.30.xx 10.40.xx and then it becomes a bit of an administrative nightmare.
10.30.xx 10.40.xx,那么它就变成了一场行政噩梦。
So, what makes sense is someone mentioned to do something on the http.conf level: 因此,有意义的是提到有人在http.conf级别上做某事:
<Directory />
#Example..
SetEnvIF X-Forwarded-For "(,| |^)192\.168\.1\.1(,| |$)" DenyIP
SetEnvIF X-Forwarded-For "(,| |^)10\.1\.1\.1(,| |$)" DenyIP
Order allow,deny
Deny from env=DenyIP
Allow from all
</Directory>
So, I am unsure how to follow this format and ensure that it denies all external IPs to these directories. 因此,我不确定如何遵循这种格式,并确保它拒绝这些目录的所有外部IP。
Would the http.conf file have something like: http.conf文件是否具有以下内容:
<VirtualHost>
#Example..
SetEnvIF X-Forwarded-For "(,| |^)*\.*\.*\.*(,| |$)" DenyIP
</VirtualHost>
and my other conf file with the < LocationMatch > rules have: 我的其他带有<LocationMatch>规则的conf文件具有:
<LocationMatch "/foo/bar/*">
Order deny,allow
Deny from env=DenyIP
Allow from 10.
Allow from 127
</LocationMatch>
Thanks for your help! 谢谢你的帮助!
Rather than modifying apache, use Security Groups! 与其修改apache,不如使用安全组!
0.0.0.0/0
for ports 80 & 443. 0.0.0.0/0
和0.0从0.0.0.0/0
入站访问。 That's it! 而已! The security groups will block traffic that attempts to access your apache server(s) without passing through the Load Balancer.
安全组将阻止尝试访问您的apache服务器而不通过负载均衡器的流量。
See: 看到:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.