對actuator的管理端點進行ip白名單限制(springBoot添加filter)
阿新 • • 發佈:2018-08-09
代理 指令 驗證 都是 factory ref https tco fig
在我們的SpringCloud應用中,我們會引入actuator來進行管理和監控我們的應用
常見的有:http://www.cnblogs.com/yangzhilong/p/8378152.html
如果開啟
endpoints.restart.enabled=true
則會有pause、restart等端點。
對shutdown、pause、restart等敏感指令我們需要進行一定的保護。當然actuator也考慮到了這點,對一些敏感的端點做了enable、sensitive以及security的校驗。
為了使用方便,我們通常是如下的配置:
# 禁用actuator管理端鑒權 management.security.enabled=false# 啟用shutdown host:port/shutdown endpoints.shutdown.enabled=true # 禁用密碼驗證 endpoints.shutdown.sensitive=false # 開啟重啟支持 endpoints.restart.enabled=true # shutdown、pause、restart等的ip白名單地址 shutdown.whitelist=0:0:0:0:0:0:0:1,127.0.0.1,172.16.,10.18.
這麽做的主要原因有:1、使用方便 2、方便集成到各種監控組建裏去。
註:網上很多都是說的開啟management的鑒權,類似如下(此方案會影響第三方監控組建的使用,不推薦使用):
security.user.name=admin security.user.password=admin security.user.role=SUPERUSER management.security.roles=SUPERUSER
如果不過這個security的交單會導致誰都可以直接post請求這些接口,故有了如下基於ip白名單的Filter方案:
ShutdownFilter.java
package com.mili.crm.eureka.filter; import java.io.IOException; import java.io.PrintWriter; importjava.util.Arrays; import java.util.List; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; import org.springframework.beans.factory.annotation.Value; import org.springframework.cloud.context.config.annotation.RefreshScope; import lombok.extern.slf4j.Slf4j; /** * shutdown和pause的管理端點的ip白名單過濾 * @author yangzhilong * */ @WebFilter(filterName="shutdownFilter",urlPatterns= {"/shutdown","/pause","/restart"}) @Slf4j @RefreshScope public class ShutdownFilter implements Filter { @Value("${shutdown.whitelist:0:0:0:0:0:0:0:1}") private String[] shutdownIpWhitelist; @Override public void destroy() { } @Override public void doFilter(ServletRequest srequest, ServletResponse sresponse, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) srequest; String ip = this.getIpAddress(request); log.info("訪問shutdown的機器的原始IP:{}", ip); if (!isMatchWhiteList(ip)) { sresponse.setContentType("application/json"); sresponse.setCharacterEncoding("UTF-8"); PrintWriter writer = sresponse.getWriter(); writer.write("{\"code\":401}"); writer.flush(); writer.close(); return; } filterChain.doFilter(srequest, sresponse); } @Override public void init(FilterConfig arg0) throws ServletException { log.info("shutdown filter is init....."); } /** * 匹配是否是白名單 * @param ip * @return */ private boolean isMatchWhiteList(String ip) { List<String> list = Arrays.asList(shutdownIpWhitelist); if(list.contains(ip)) { return true; } return list.stream().anyMatch(data -> ip.startsWith(data)); } /** * 獲取用戶真實IP地址,不使用request.getRemoteAddr();的原因是有可能用戶使用了代理軟件方式避免真實IP地址, * 可是,如果通過了多級反向代理的話,X-Forwarded-For的值並不止一個,而是一串IP值,究竟哪個才是真正的用戶端的真實IP呢? * 答案是取X-Forwarded-For中第一個非unknown的有效IP字符串。 * * 如:X-Forwarded-For:192.168.1.110, 192.168.1.120, 192.168.1.130, 192.168.1.100 * * 用戶真實IP為: 192.168.1.110 * * @param request * @return */ private String getIpAddress(HttpServletRequest request) { String ip = request.getHeader("x-forwarded-for"); if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("Proxy-Client-IP"); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("WL-Proxy-Client-IP"); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("HTTP_CLIENT_IP"); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("HTTP_X_FORWARDED_FOR"); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getRemoteAddr(); } return ip; } }
然後在SpringBoot的啟動類上加入如下註解
@ServletComponentScan("com.mili")
通過靈活配置這個白名單,就可以精準控制誰能訪問了。
對actuator的管理端點進行ip白名單限制(springBoot添加filter)