如何将所有外部IP阻止到AWS ELB后面的端点?
[英]How can I block all external IPs to endpoints behind AWS ELB?
问题描述
OK - so I have a developer that does not want our REST endpoints to be accessible externally with the only access allowed is localhost and the internal network scheme. 
好的-所以我有一个开发人员,不希望外部允许访问我们的REST端点,唯一允许的访问是localhost和内部网络方案。 Our internal network scheme is 10.10.xx 我们的内部网络方案是10.10.xx
The way we did this is with the < LocationMatch > switch in the .conf file as follows: 我们这样做的方法是使用.conf文件中的<LocationMatch>开关,如下所示:
<LocationMatch "/foo/bar/*">
Order deny,allow
Deny from all
Allow from 10.10
Allow from 127
</LocationMatch>
Now, the challenge we are having is that the AWS Load Balancer has an X-Forward-Host rule on it so all original source IPs and if I do Allow from 10 - obviously, will allow access to all endpoints externally because of this. 现在,我们面临的挑战是,AWS Load Balancer上具有X-Forward-Host规则,因此所有原始源IP以及如果我从10开始允许-很显然,因此将允许从外部访问所有端点。
As stated before, our internal IP is 10.10 so I can do allow from 10.10 and that would resolve it but if I make more regions then the network scheme could be 10.20.x. 如前所述,我们的内部IP是10.10,所以我可以允许从10.10开始,这样就可以解决它,但是如果我创建更多区域,则网络方案可能是10.20.x。 10.30.xx 10.40.xx and then it becomes a bit of an administrative nightmare. 10.30.xx 10.40.xx,那么它就变成了一场行政噩梦。
So, what makes sense is someone mentioned to do something on the http.conf level: 因此,有意义的是提到有人在http.conf级别上做某事:
<Directory />
#Example..
SetEnvIF X-Forwarded-For "(,| |^)192\.168\.1\.1(,| |$)" DenyIP
SetEnvIF X-Forwarded-For "(,| |^)10\.1\.1\.1(,| |$)" DenyIP
Order allow,deny
Deny from env=DenyIP
Allow from all
</Directory>
So, I am unsure how to follow this format and ensure that it denies all external IPs to these directories. 因此,我不确定如何遵循这种格式,并确保它拒绝这些目录的所有外部IP。
Would the http.conf file have something like: http.conf文件是否具有以下内容:
<VirtualHost>
#Example..
SetEnvIF X-Forwarded-For "(,| |^)*\.*\.*\.*(,| |$)" DenyIP
</VirtualHost>
and my other conf file with the < LocationMatch > rules have: 我的其他带有<LocationMatch>规则的conf文件具有:
<LocationMatch "/foo/bar/*">
Order deny,allow
Deny from env=DenyIP
Allow from 10.
Allow from 127
</LocationMatch>
Thanks for your help! 谢谢你的帮助!
1 个解决方案
解决方案1
1 已采纳 2015-09-03 23:22:36
Rather than modifying apache, use Security Groups! 与其修改apache,不如使用安全组!
- Create a security group for your Elastic Load Balancer. 为您的Elastic Load Balancer创建一个安全组。 Allow in-bound access from
0.0.0.0/0for ports 80 & 443.允许端口0.0.0.0/0和0.0从0.0.0.0/0入站访问。 - Create a security group for your apache server(s). 为您的apache服务器创建一个安全组。 Allow in-bound access from the ELB Security Group (a security group can reference another security group). 允许从ELB安全组进行入站访问(一个安全组可以引用另一个安全组)。 Also add access so you can SSH into the server(s). 同时添加访问权限,以便您可以通过SSH进入服务器。
That's it! 而已! The security groups will block traffic that attempts to access your apache server(s) without passing through the Load Balancer. 安全组将阻止尝试访问您的apache服务器而不通过负载均衡器的流量。
See: 看到:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.