堆栈内存溢出
  简体   繁体   English

安全组 aws 特定 ip http/https 阻止一切

[英]security group aws specific ip http/https blocks everything

 原文  2021-08-10 18:23:01       amazon-web-services/ security/ firewall

问题描述

I've follow the documentation of I've read https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html我已经阅读了 https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html的文档

and I want to create a security group in AWS which allows only one IP access to ports 80 or 443, but AWS is blocking everything even the IP which should have access when I apply this group.我想在 AWS 中创建一个安全组,它只允许一个 IP 访问端口 80 或 443,但 AWS 阻止了所有内容,甚至是 IP,当我应用该组时,它应该可以访问。

We are using nginx in the ec2 server and the certificate was created with certbot我们在 ec2 服务器中使用 nginx 并且证书是使用 certbot 创建的

我的入站规则

2 个解决方案

解决方案1
 1  2021-08-10 18:50:51

What do you mean by "blocking everything"? “阻止一切”是什么意思?

From these 2 rules, port 80 and port 443 are only open to the one IP that you had given.从这 2 条规则来看,端口 80 和端口 443 仅对您提供的 IP 开放。 If this is a webapp, it is likely that you'll have a loadbalancer setup to receive the traffic.如果这是一个网络应用程序,您可能会设置一个负载均衡器来接收流量。

  • Check the ELB security group and block traffic there (If there is an ELB setup)检查 ELB 安全组并阻止那里的流量(如果有 ELB 设置)
  • Check the VPC NACL if there are any block for port 80/443 traffic.如果端口 80/443 流量有任何阻塞,请检查 VPC NACL。 If that is the case, NACL rule will take precedence here如果是这种情况,NACL 规则将在这里优先
  • Make sure you check your outbound rules also.确保您也检查出站规则。 If by "Blocking everything", you meant the outbound traffic如果通过“阻止一切”,你的意思是出站流量

解决方案2
 0  2022-02-13 10:45:23

Edit the inbound rule to be only lock out any other port to the instance ip address only, while you open 443 and 80 to everyone.将入站规则编辑为仅锁定实例 ip 地址的任何其他端口,同时向所有人开放 443 和 80。 eg.例如。 if ur ec2 instance public ip is 13.255.77.8 and you don't want port 5000 to be accessible to the public, create a custom tcp with your that is only acessible to that port ie mapping port 5000 to this ip - 13.255.77.8/32如果您的 ec2 实例 public ip 是 13.255.77.8 并且您不希望公众可以访问端口 5000,请使用您的自定义 tcp 创建一个只能访问该端口的端口,即将端口 5000 映射到此 ip - 13.255.77.8/ 32

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 aws_security_group_rule 属性 cidr_blocks 和 source_security_group_id 的冲突问题 - conflicting issue for aws_security_group_rule attributes cidr_blocks and source_security_group_id AWS CLI - 创建脚本以将我的 IP 添加到安全组 - AWS CLI - Create script to add my IP to security group 创建 Travis NAT IP 作为 AWS VPC 安全组 IP 列表 - Create Travis NAT IPs as AWS VPC Security Group IP List AWS 云中的安全组 - Security Group in AWS Cloud 如何使用 aws cli 将当前 pc IP 添加到安全组中 - How could I add current pc IP into security group with aws cli AWS 安全组:端口范围? - AWS security group: Port range? AWS EC2 拒绝通过 CLI 对特定 IP 的 http/https 访问 - AWS EC2 deny http/https access to specific IPs via CLI 为什么不使用直接 IP 而是使用安全组? - Why not using the direct IP but Security Group instead? 为什么 AWS 安全组不允许 sg-ID 的入站 http 流量 - Why does AWS Security group not allow inbound http traffic by sg-ID 将包含自身和安全组 ID 的 aws_security_group_rule 添加到安全组 - Add an aws_security_group_rule that contains self and a security group id to a security group
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM