如果前端调用API时显示IPv4公网IP,请问这个后端是否存在安全问题?
[英]If the IPv4 public IP is displayed when the API is called on the front end, are there any security issues with this back end?
问题描述
Now, I am using ec2 as the backend platform (node js + nginx + certbot), and the settings of nginx.conf are as follows
现在,我使用ec2作为后端平台(node js + nginx + certbot),nginx.conf的设置如下
server {
listen 80;
server_name somethings.example.com;
root /usr/share/nginx/html;
location /{
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
frontend-backend communicate via https
When the front end uses the backend (api), in the chrome devtool ("Elements" panel), you can see the ec2 IPv4 public IP: 433 in the "Remote Address" column前端使用后端(api)时,在chrome devtool(“Elements”面板)中“Remote Address”一栏可以看到ec2 IPv4公网IP:433
However, when I use IPv4 public IP: 3000, I can use http (insecure) api (currently using 404 to prevent further use)但是,当我使用 IPv4 公共 IP:3000 时,我可以使用 http(不安全)api(目前使用 404 以防止进一步使用)
So I want to ask if this will cause security problems?所以我想问一下这会不会造成安全问题? How to solve it?如何解决? Or redirect when using http for communication?或者在使用http进行通信时重定向? Or how to hide the ec2 IPv4 public IP:433 in the remote address?或者如何隐藏远程地址中的ec2 IPv4公网IP:433?
1 个解决方案
解决方案1
0 2020-10-05 02:28:47
Yes, there are security issues.是的,存在安全问题。 Exposing your EC2 instances on public subnets allows folks to try and probe the various ports and see if they can exploit any vulnerabilities or take advantage of any lax in security.在公共子网上公开您的 EC2 实例允许人们尝试探测各种端口,看看他们是否可以利用任何漏洞或利用任何安全漏洞。
At the very minimum, you should lock down the security group associated with this EC2 instance to ensure it's only accepts public HTTP traffic from the expected 443 port.至少,您应该锁定与此 EC2 实例关联的安全组,以确保它只接受来自预期 443 端口的公共 HTTP 流量。
One common way to improve security would be to use a load balancer (even if you only have a single EC2 instance).提高安全性的一种常见方法是使用负载均衡器(即使您只有一个 EC2 实例)。
Amazon provides a variety of load balancers and you could use the classic Elastic Load Balancer (ELB) or Application Load Balancer (ALB). Amazon 提供了多种负载均衡器,您可以使用经典的弹性负载均衡器 (ELB) 或应用程序负载均衡器 (ALB)。
This works by putting your EC2 instance in a private subnet so that things on the internet can not get access to it.这是通过将您的 EC2 实例放在私有子网中来实现的,这样 Internet 上的内容就无法访问它。 You then create the load balancer in the public subnet and update the security group settings so that only the load balancer can send requests to the EC2 instances.然后,您在公有子网中创建负载均衡器并更新安全组设置,以便只有负载均衡器可以向 EC2 实例发送请求。 You can also make sure that the load balancer only accepts/forwards HTTPS traffic.您还可以确保负载均衡器只接受/转发 HTTPS 流量。
Using the above strategy hides the EC2 instance from clients and makes sure that no one can probe the various ports of your EC2s.使用上述策略可以对客户端隐藏 EC2 实例,并确保没有人可以探测您的 EC2 的各个端口。
Without this, you'll just have to rely on locking down the security group settings on your EC2 to ensure only the excepted ports are open to the public.如果没有这个,您只需要依靠锁定 EC2 上的安全组设置来确保只有例外端口对公众开放。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.