[英]IIS 7 - Restrict Application by IP Address behind load balancer
I am trying to restrict an application in IIS 7 by IP address on my web server behind a load balancer.我正在尝试通过负载均衡器后面的 web 服务器上的 IP 地址限制 IIS 7 中的应用程序。 The X-Forwarded-For header is set by the load balancer with the client's IP address.
X-Forwarded-For header 由负载均衡器使用客户端的 IP 地址设置。
What is the best way to extract that IP address in IIS 7 to setup IP address filtering on my application?提取 IIS 7 中的 IP 地址以在我的应用程序上设置 IP 地址过滤的最佳方法是什么? If there is not a best way, I will end up using an HTTPModule to handle this for me.
如果没有最好的方法,我最终会使用 HTTPModule 来为我处理这个问题。
REMOTE_ADDR
and implement IP Restrictions.REMOTE_ADDR
并实现 IP 限制。 With the following recipe REMOTE_ADDR
will be set to the real Client-IP regardless if there is a trusted reverse proxy in front to set HTTP_X_FORWARDED_FOR
.使用以下配方
REMOTE_ADDR
将设置为真实的客户端 IP,无论前面是否有一个受信任的反向代理来设置HTTP_X_FORWARDED_FOR
。 That means you can remove the reverse proxy from in front of IIS and these IP Restrictions will still continue to work as expected.这意味着您可以从 IIS 前面删除反向代理,这些 IP 限制仍将按预期继续工作。
REMOTE_ADDR
in applicationHost.config
applicationHost.config
中的REMOTE_ADDR
Set this in the global IIS applicationHost.config
:在全局 IIS
applicationHost.config
中设置:
<rewrite>
<allowedServerVariables>
<add name="REMOTE_ADDR" />
<add name="REMOTE_HOST" />
</allowedServerVariables>
<globalRules>
<rule name="Remote" patternSyntax="ECMAScript">
<match url=".*" ignoreCase="false" />
<conditions>
<add input="{REMOTE_ADDR}" pattern="^10\.1\.1\.[123]$" ignoreCase="false" />
<add input="{HTTP_X_FORWARDED_FOR}" pattern="\d+\.\d+\.\d+\.\d+$" ignoreCase="false" />
</conditions>
<serverVariables>
<set name="REMOTE_ADDR" value="{C:0}" />
<set name="REMOTE_HOST" value="{C:0}" />
</serverVariables>
<action type="None" />
</rule>
</globalRules>
</rewrite>
The recipe above copies the last IP address it finds in HTTP_X_FORWARDED_FOR
to the REMOTE_ADDR
and REMOTE_HOST
<serverVariables>
only if the original value in REMOTE_ADDR
matches the IP address of a trusted reverse proxy.上面的方法将它在
HTTP_X_FORWARDED_FOR
中找到的最后一个 IP 地址复制到REMOTE_ADDR
和REMOTE_HOST
<serverVariables>
,前提是REMOTE_ADDR
中的原始值与受信任的反向代理的 IP 地址匹配。
To have this recipe work, the first condition must be set to match your reverse proxy's IP address(es):要使此配方起作用,必须将第一个条件设置为匹配您的反向代理的 IP 地址:
<add input="{REMOTE_ADDR}" pattern="^10\.1\.1\.[123]$" ignoreCase="false" />
In the example above, the client IP in HTTP_X_FORWARDED_FOR
is trusted only if set by a reverse proxy at one of these IP addresses:在上面的示例中,HTTP_X_FORWARDED_FOR 中的客户端
HTTP_X_FORWARDED_FOR
仅在由反向代理在以下 IP 地址之一设置时才受信任:
10.1.1.1 or 10.1.1.2 or 10.1.1.3
That takes care of setting REMOTE_ADDR
to the real Client-IP.这负责将
REMOTE_ADDR
设置为真实的客户端 IP。
web.config
web.config
中的限制IP Restrictions can be set with the IIS URL Rewrite module in a site's web.config
using this recipe: IP 可以使用 IIS URL 在站点的
web.config
重写模块中使用 C 重写模块
<system.webServer>
<rewrite>
<rules>
<rule name="IP Restricted" patternSyntax="ECMAScript" stopProcessing="true">
<match url=".*" ignoreCase="false" />
<conditions>
<add input="{REMOTE_ADDR}" pattern="^(127\.|10\.20\.74\.|10\.25\.182\.|10\.64\.105\.10)" ignoreCase="false" negate="true" />
</conditions>
<action type="Rewrite" url="/403.html" appendQueryString="false" logRewrittenUrl="true" />
</rule>
</rules>
</rewrite>
</system.webServer>
Edit the pattern=
to only match the IP addresses or blocks you need to let in.编辑
pattern=
以仅匹配您需要进入的 IP 地址或块。
Change the <action />
to whatever needed.将
<action />
更改为所需的任何内容。
Because the web.config
recipe above filters on the standard REMOTE_ADDR
variable, it works with and without HTTP_X_FORWARDED_FOR
.因为上面的
web.config
配方在标准REMOTE_ADDR
变量上过滤,所以它可以在有和没有HTTP_X_FORWARDED_FOR
的情况下使用。 The recipe in applicationHost.config
<rewrite>
<globalRules>
ensures that REMOTE_ADDR
is always set to the real Client-IP for anything that might later reference REMOTE_ADDR
. applicationHost.config
<rewrite>
<globalRules>
中的配方确保REMOTE_ADDR
始终设置为真实的Client-IP,以用于以后可能引用REMOTE_ADDR
的任何内容。
You can use the IIS URL Rewrite module to accomplish this.您可以使用IIS URL 重写模块来完成此操作。
Add a new inbound rule with conditions that check to see if the IP address does not match {HTTP_X_Forwarded_For}.添加一个新的入站规则,其中包含检查 IP 地址是否与 {HTTP_X_Forwarded_For} 不匹配的条件。 You can then set the rule up to redirect, rewrite, or abort the request.
然后,您可以设置规则以重定向、重写或中止请求。
You can a new condition for each IP address you wish to white-list.您可以为您希望列入白名单的每个 IP 地址设置一个新条件。
IIS 7 and beyond include the Dynamic IP Restrictions module, which supports filtering client requests by their X-Forwarded-For
header, which is added to a request when using an AWS load balancer : IIS 7 及更高版本包括动态 IP Restrictions模块,该模块支持通过其
X-Forwarded-For
header 过滤客户端请求, 当使用 AWS 时,将其添加到请求中:
Support for web servers behind a proxy - If your web server is behind a proxy, you can configure the module to use the client IP address from an X-Forwarded-For header.
Support for web servers behind a proxy - If your web server is behind a proxy, you can configure the module to use the client IP address from an X-Forwarded-For header.
You can enable Proxy Mode support by checking the "Proxy" checkbox in the module's configuration page, then write rules to allow/deny IPs/CIDR ranges via the module. 您可以通过选中模块配置页面中的“代理”复选框来启用代理模式支持,然后编写规则以通过模块允许/拒绝 IP/CIDR 范围。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.