IIS 7 - 通过 IP 限制应用程序 负载均衡器后面的地址
[英]IIS 7 - Restrict Application by IP Address behind load balancer
问题描述
I am trying to restrict an application in IIS 7 by IP address on my web server behind a load balancer.
我正在尝试通过负载均衡器后面的 web 服务器上的 IP 地址限制 IIS 7 中的应用程序。 The X-Forwarded-For header is set by the load balancer with the client's IP address. X-Forwarded-For header 由负载均衡器使用客户端的 IP 地址设置。
What is the best way to extract that IP address in IIS 7 to setup IP address filtering on my application?提取 IIS 7 中的 IP 地址以在我的应用程序上设置 IP 地址过滤的最佳方法是什么? If there is not a best way, I will end up using an HTTPModule to handle this for me.如果没有最好的方法,我最终会使用 HTTPModule 来为我处理这个问题。
3 个解决方案
解决方案1
6 2016-04-18 17:06:26
Using IIS URL Rewrite module to normalize REMOTE_ADDR and implement IP Restrictions.使用IIS URL 重写模块来规范化REMOTE_ADDR并实现 IP 限制。
With the following recipe REMOTE_ADDR will be set to the real Client-IP regardless if there is a trusted reverse proxy in front to set HTTP_X_FORWARDED_FOR .使用以下配方REMOTE_ADDR将设置为真实的客户端 IP,无论前面是否有一个受信任的反向代理来设置HTTP_X_FORWARDED_FOR 。 That means you can remove the reverse proxy from in front of IIS and these IP Restrictions will still continue to work as expected.这意味着您可以从 IIS 前面删除反向代理,这些 IP 限制仍将按预期继续工作。
Normalize REMOTE_ADDR in applicationHost.config规范化applicationHost.config中的REMOTE_ADDR
Set this in the global IIS applicationHost.config :在全局 IIS applicationHost.config中设置:
<rewrite>
<allowedServerVariables>
<add name="REMOTE_ADDR" />
<add name="REMOTE_HOST" />
</allowedServerVariables>
<globalRules>
<rule name="Remote" patternSyntax="ECMAScript">
<match url=".*" ignoreCase="false" />
<conditions>
<add input="{REMOTE_ADDR}" pattern="^10\.1\.1\.[123]$" ignoreCase="false" />
<add input="{HTTP_X_FORWARDED_FOR}" pattern="\d+\.\d+\.\d+\.\d+$" ignoreCase="false" />
</conditions>
<serverVariables>
<set name="REMOTE_ADDR" value="{C:0}" />
<set name="REMOTE_HOST" value="{C:0}" />
</serverVariables>
<action type="None" />
</rule>
</globalRules>
</rewrite>
The recipe above copies the last IP address it finds in HTTP_X_FORWARDED_FOR to the REMOTE_ADDR and REMOTE_HOST <serverVariables> only if the original value in REMOTE_ADDR matches the IP address of a trusted reverse proxy.上面的方法将它在HTTP_X_FORWARDED_FOR中找到的最后一个 IP 地址复制到REMOTE_ADDR和REMOTE_HOST <serverVariables> ,前提是REMOTE_ADDR中的原始值与受信任的反向代理的 IP 地址匹配。
To have this recipe work, the first condition must be set to match your reverse proxy's IP address(es):要使此配方起作用,必须将第一个条件设置为匹配您的反向代理的 IP 地址:
<add input="{REMOTE_ADDR}" pattern="^10\.1\.1\.[123]$" ignoreCase="false" />
In the example above, the client IP in HTTP_X_FORWARDED_FOR is trusted only if set by a reverse proxy at one of these IP addresses:在上面的示例中,HTTP_X_FORWARDED_FOR 中的客户端HTTP_X_FORWARDED_FOR仅在由反向代理在以下 IP 地址之一设置时才受信任:
10.1.1.1 or 10.1.1.2 or 10.1.1.3
That takes care of setting REMOTE_ADDR to the real Client-IP.这负责将REMOTE_ADDR设置为真实的客户端 IP。
IP Restrictions in web.config IP web.config中的限制
IP Restrictions can be set with the IIS URL Rewrite module in a site's web.config using this recipe: IP 可以使用 IIS URL 在站点的web.config重写模块中使用 C 重写模块
<system.webServer>
<rewrite>
<rules>
<rule name="IP Restricted" patternSyntax="ECMAScript" stopProcessing="true">
<match url=".*" ignoreCase="false" />
<conditions>
<add input="{REMOTE_ADDR}" pattern="^(127\.|10\.20\.74\.|10\.25\.182\.|10\.64\.105\.10)" ignoreCase="false" negate="true" />
</conditions>
<action type="Rewrite" url="/403.html" appendQueryString="false" logRewrittenUrl="true" />
</rule>
</rules>
</rewrite>
</system.webServer>
Edit the pattern= to only match the IP addresses or blocks you need to let in.编辑pattern=以仅匹配您需要进入的 IP 地址或块。
Change the <action /> to whatever needed.将<action />更改为所需的任何内容。
Because the web.config recipe above filters on the standard REMOTE_ADDR variable, it works with and without HTTP_X_FORWARDED_FOR .因为上面的web.config配方在标准REMOTE_ADDR变量上过滤,所以它可以在有和没有HTTP_X_FORWARDED_FOR的情况下使用。 The recipe in applicationHost.config <rewrite> <globalRules> ensures that REMOTE_ADDR is always set to the real Client-IP for anything that might later reference REMOTE_ADDR . applicationHost.config <rewrite> <globalRules>中的配方确保REMOTE_ADDR始终设置为真实的Client-IP,以用于以后可能引用REMOTE_ADDR的任何内容。
解决方案2
5 已采纳 2011-07-25 13:31:22
You can use the IIS URL Rewrite module to accomplish this.您可以使用IIS URL 重写模块来完成此操作。
Add a new inbound rule with conditions that check to see if the IP address does not match {HTTP_X_Forwarded_For}.添加一个新的入站规则,其中包含检查 IP 地址是否与 {HTTP_X_Forwarded_For} 不匹配的条件。 You can then set the rule up to redirect, rewrite, or abort the request.然后,您可以设置规则以重定向、重写或中止请求。
You can a new condition for each IP address you wish to white-list.您可以为您希望列入白名单的每个 IP 地址设置一个新条件。
解决方案3
1 2019-05-19 02:58:04
IIS 7 and beyond include the Dynamic IP Restrictions module, which supports filtering client requests by their X-Forwarded-For header, which is added to a request when using an AWS load balancer : IIS 7 及更高版本包括动态 IP Restrictions模块,该模块支持通过其X-Forwarded-For header 过滤客户端请求, 当使用 AWS 时,将其添加到请求中:
Support for web servers behind a proxy - If your web server is behind a proxy, you can configure the module to use the client IP address from an X-Forwarded-For header.
You can enable Proxy Mode support by checking the "Proxy" checkbox in the module's configuration page, then write rules to allow/deny IPs/CIDR ranges via the module. 您可以通过选中模块配置页面中的“代理”复选框来启用代理模式支持,然后编写规则以通过模块允许/拒绝 IP/CIDR 范围。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.