简体繁体 English

IP地址过滤

[英]IP Address Filtering

原文 2010-09-21 21:07:39 5 3 ruby-on-rails/ ruby

I'm looking at implementing IP Address filtering for my Rails SaaS app. 我正在考虑为我的Rails SaaS应用程序实现IP地址过滤。 In a nutshell I want administrators to be able to specify one or more IP Addresses (or a range of IP Addresses) and then my app only accept requests on their instance from the specified addresses. 简而言之，我希望管理员能够指定一个或多个IP地址（或一系列IP地址），然后我的应用程序只接受来自指定地址的实例上的请求。

I'm looking at using IPAddress ( http://github.com/bluemonk/ipaddress ) for the parsing/validating of each address/range of addresses. 我正在寻找使用IPAddress（ http://github.com/bluemonk/ipaddress ）来解析/验证每个地址/地址范围。 Is this a good fit or are there better/more appropriate libraries? 这是一个不错的选择还是有更好/更合适的库？

Has anyone implemented this kind of filtering who could describe an approach that has worked for them or are there any gotchas I need to worry about? 有没有人实现过这种过滤，可以描述一种对他们有用的方法，还是有任何我需要担心的问题？

Alternatively, is there an existing Ruby library that handles all of this automatically that has managed to elude my Googling? 或者，是否有一个现有的Ruby库可以自动处理所有这些，并设法逃避我的谷歌搜索？

Many Thanks, Ash 非常感谢，Ash

3 个解决方案

ipaddress is an awesome library (I know the author), but you won't probably need it unless you are planning to perform some advanced manipulation of IP Addresses. ipaddress是一个很棒的库（我知道作者），但除非你打算对IP地址执行一些高级操作，否则你可能不需要它。

In fact, the most simple way is to 事实上，最简单的方法是

store the array of IP addresses to filter somewhere. 存储IP地址数组以过滤某处。 You can use the string representation (192.168.1.1) or the long int representation. 您可以使用字符串表示形式（192.168.1.1）或long int表示形式。 With the string version, you can even allow wildcards (192.168.1.*) 使用字符串版本，您甚至可以允许使用通配符（192.168.1。*）
then configure a before_filter in the controller that will load the list of banned IPs and perform a simple string match to check whether current request.ip_address ( request.remote_ip in rails 3) matches a banned IP. 然后在控制器中配置一个before_filter ，它将加载禁止的IP列表并执行简单的字符串匹配，以检查当前的request.ip_address （rails 3中的request.remote_ip ）是否与禁止的IP匹配。 If true, redirect to the error page. 如果为true，则重定向到错误页面。

As you can see, you don't even need to convert the IPs into IP objects, unless you need to perform other kind of manipulations. 如您所见，除非您需要执行其他类型的操作，否则甚至不需要将IP转换为IP对象。

A little late to the party, but since I was looking for something similar and bumped into this nice Ruby gem I'll add it here to contribute to the thread. 派对有点晚了，但是因为我正在寻找类似的东西并碰到这个漂亮的Ruby宝石，我会在这里添加它以贡献线程。 I like @simone's solution, but if you need a more control then Rack::Attack may be a good choice. 我喜欢@ simone的解决方案，但如果你需要更多的控制，那么Rack::Attack可能是一个不错的选择。

https://github.com/kickstarter/rack-attack https://github.com/kickstarter/rack-attack

Rack::Attack!!! 机架::攻击！

A DSL for blocking & throttling abusive clients 用于阻止和限制滥用客户端的DSL

I think you can achieve what you want using Rails 3 built-in routing features. 我认为您可以使用Rails 3内置路由功能实现您的目标。 Gregg Pollack introduces Rails 3 Action Dispatch and mentions (from the screencast) :constraints => {:ip => /192\\.168\\.1\\.\\d{1,3}}/} option where you can supply a regular expression matching the IP address range you want to allow. Gregg Pollack介绍了Rails 3 Action Dispatch和提及（来自截屏视频） :constraints => {:ip => /192\\.168\\.1\\.\\d{1,3}}/}选项，您可以提供常规表达式匹配您要允许的IP地址范围。

Extending that a bit more, looking at the Advanced constraints and their example demonstrates pulling a list of blacklisted IPs out from the database and checking if the request.remote_ip is in the list of blacklisted IPs. 进一步扩展，查看高级约束及其示例演示了如何从数据库中提取列入黑名单的IP并检查request.remote_ip是否在列入黑名单的IP列表中。 It looks like you want a list of accepted (aka whitelist IPs) but the code would be nearly identical to the example in Rails guides. 看起来你想要一个已接受的列表（也就是白名单IP），但代码几乎与Rails指南中的示例完全相同。

So I would build your admin view to be able to input approved IP addresses, then the application routing can pull this list for incoming requests. 因此，我将构建您的管理视图以便能够输入已批准的IP地址，然后应用程序路由可以为传入请求提取此列表。