安全 Cloud Run 服务仅在浏览器中接受来自域的请求(而不是 Postman / shell 脚本)
[英]Secure Cloud Run service to accept requests from a Domain in Browser only (and not Postman / shell script)
问题描述
We have gone through the authentication overview but it doesn't answer our question so reaching out to the experts here.
我们已经完成了身份验证概述,但它没有回答我们的问题,因此请联系这里的专家。
Our web application once loaded on the browser for a user makes requests to our service on Cloud Run.我们的 web 应用程序一旦加载到浏览器上,用户就会向我们在 Cloud Run 上的服务发出请求。 We would like to secure our backend service so only our Domain can access this and not some user using Postman, or a shell script to access / update data.我们想保护我们的后端服务,以便只有我们的域可以访问它,而不是一些使用 Postman 或 shell 脚本访问/更新数据的用户。
end-user-access auth最终用户访问授权
Because the user doesn't have to be always signed in, we would like Cloud Run to respond to the requests, even if there's no auth token present.由于用户不必始终登录,我们希望 Cloud Run 响应请求,即使不存在身份验证令牌也是如此。 This eliminates the end-user access to service option for us.这消除了最终用户访问我们的服务选项。
service-to-service auth:服务到服务授权:
Because it is the browser, and not another service in our GCP platform that's making the request, even this option doesn't work for us.因为发出请求的是浏览器,而不是我们 GCP 平台中的其他服务,所以即使这个选项对我们也不起作用。
The user data in our backend is secure, because those end points require Auth tokens, however, pages that don't need auth token are insecure, and could be vulnerable to DDOS or bot/scraping attacks.我们后端的用户数据是安全的,因为这些端点需要 Auth 令牌,但是,不需要 auth 令牌的页面是不安全的,并且可能容易受到 DDOS 或 bot/scraping 攻击。
How can we secure our Cloud Run service so only calls from our Web Application are responded to and not others?我们如何保护我们的 Cloud Run 服务,以便仅响应来自我们的 Web 应用程序而不响应其他应用程序的调用?
1 个解决方案
解决方案1
0 已采纳 2020-07-18 13:04:45
You can't be sure that the web application is the sender of the request.您不能确定 web 应用程序就是请求的发送方。 Indeed, in the web environment, you send your code on the client side.实际上,在 web 环境中,您在客户端发送代码。 From here, the users (good or bad) can go into your code and understand how it works, what are the header of the request, how these headers are built,...从这里,用户(好的或坏的)可以 go 进入你的代码并了解它是如何工作的,请求的 header 是什么,这些标头是如何构建的,......
Complex, and inefficient things can be imagined... Maybe, the best way is to plug an API Gateway and to perform rate limit for the users.复杂、低效的事情可想而知…… 或许,最好的办法就是插一个API网关,对用户进行限速。 Like this, even if the user uses an automated thing, they will be limited.这样,即使用户使用自动化的东西,他们也会受到限制。 I wrote an article on the Cloud Endpoint Rate limit . 我写了一篇关于 Cloud Endpoint Rate limit 的文章。 Not sure that is the best product for this, maybe Apigee can fit better your requirements.不确定这是最好的产品,也许Apigee可以更好地满足您的要求。
EDIT编辑
What I would like to say in the first paragraph is "it's not possible with Cloud Run and with any other web technology".我想在第一段中说的是“使用 Cloud Run 和任何其他 web 技术是不可能的”。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.