1. 程式人生 > >13 基於閘道器服務的IP白名單限制訪問(Whitelist IP Restriction)

13 基於閘道器服務的IP白名單限制訪問(Whitelist IP Restriction)


用Kong配置一個book服務
在安裝並啟動Kong之後,使用Kong的管理API埠8001新增一個名稱為book的服務
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/services/ \
--data 'name=book' \
--data 'url=http://contoso.com/v1/books'

HTTP/1.1 201 Created
Date: Sat, 12 May 2018 12:27:47 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "host": "contoso.com", 
    "created_at": 1526099267, 
    "connect_timeout": 60000, 
    "id": "f4c0d700-ce37-4a97-b7c2-21c4f8620510", 
    "protocol": "http", 
    "name": "book", 
    "read_timeout": 60000, 
    "port": 80, 
    "path": "/v1/books", 
    "updated_at": 1526099267, 
    "retries": 5, 
    "write_timeout": 60000
}
新增一個路由(paths[]的值必須與book服務中的/v1/books一致)
使book服務暴露出來以供使用者訪問,book服務沒必要新增多個路由。
注意啦,注意啦,注意啦,重要引數我只重複3遍
跨源資源共享(CORS)中的服務路由不允許配置--data 'hosts[]=contoso.com'引數值
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/services/book/routes \
--data 'paths[]=/v1/books'
HTTP/1.1 201 Created
Date: Sat, 12 May 2018 12:30:05 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526099405, 
    "strip_path": true, 
    "hosts": null, 
    "preserve_host": false, 
    "regex_priority": 0, 
    "updated_at": 1526099405, 
    "paths": [
        "/v1/books"
    ], 
    "service": {
        "id": "f4c0d700-ce37-4a97-b7c2-21c4f8620510"
    }, 
    "methods": null, 
    "protocols": [
        "http", 
        "https"
    ], 
    "id": "42251e97-2921-45ea-bb19-0416019ea67a"   // {route_id} = id 
}

我們可以這樣檢查一下book服務和它的路由配置的是否正確
[[email protected] ~]# curl -i -X GET \
--url http://localhost:8000/v1/books

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: keep-alive
Date: Sat, 12 May 2018 12:33:12 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 27
X-Kong-Proxy-Latency: 61
Via: kong/0.13.1

[
    {
        "id": 1, 
        "title": "Fashion That Changed the World", 
        "author": "Jennifer Croll"
    }, 
    {
        "id": 2, 
        "title": "Brigitte Bardot - My Life in Fashion", 
        "author": "Henry-Jean Servat and Brigitte Bardot"
    }, 
    {
        "id": 3, 
        "title": "The Fashion Image", 
        "author": "Thomas Werner"
    }
]

為book服務啟用跨源資源共享(CORS)外掛引數配置
URL格式:http://localhost:8001/services/{name of servie}/plugins
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/services/book/plugins \
--data "name=cors"  \
--data "config.origins=http://contoso.com" \
--data "config.methods=GET, POST" \
--data "config.headers=Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Auth-Token" \
--data "config.exposed_headers=X-Auth-Token" \
--data "config.credentials=true" \
--data "config.max_age=3600"

HTTP/1.1 201 Created
Date: Sat, 12 May 2018 12:39:35 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526128775000, 
    "config": {
        "methods": [
            "GET", 
            "POST"
        ], 
        "exposed_headers": [
            "X-Auth-Token"
        ], 
        "max_age": 3600, 
        "headers": [
            "Accept", 
            "Accept-Version", 
            "Content-Length", 
            "Content-MD5", 
            "Content-Type", 
            "Date", 
            "X-Auth-Token"
        ], 
        "credentials": true, 
        "origins": [
            "http://contoso.com"
        ], 
        "preflight_continue": false
    }, 
    "id": "e352e234-e5ab-4ba8-ad00-3796e176a720", 
    "enabled": true, 
    "service_id": "f4c0d700-ce37-4a97-b7c2-21c4f8620510", 
    "name": "cors"
}
為book服務的路由{route_id}啟用跨源資源共享(CORS)外掛引數配置
{route_id} 引數的值是使用不帶引數--data 'hosts[]=contoso.com'建立的路由id值
URL格式:http://localhost:8001/routes/{route_id}/plugins
[root[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/routes/42251e97-2921-45ea-bb19-0416019ea67a/plugins \
--data "name=cors"  \
--data "config.origins=http://contoso.com" \
--data "config.methods=GET, POST" \
--data "config.headers=Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Auth-Token" \
--data "config.exposed_headers=X-Auth-Token" \
--data "config.credentials=true" \
--data "config.max_age=3600"
HTTP/1.1 201 Created
Date: Sat, 12 May 2018 12:37:33 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526128653000, 
    "config": {
        "methods": [
            "GET", 
            "POST"
        ], 
        "exposed_headers": [
            "X-Auth-Token"
        ], 
        "max_age": 3600, 
        "headers": [
            "Accept", 
            "Accept-Version", 
            "Content-Length", 
            "Content-MD5", 
            "Content-Type", 
            "Date", 
            "X-Auth-Token"
        ], 
        "credentials": true, 
        "origins": [
            "http://contoso.com"
        ], 
        "preflight_continue": false
    }, 
    "id": "1f6dc33a-8a30-473f-929b-f4d38aadbdc7", 
    "enabled": true, 
    "route_id": "42251e97-2921-45ea-bb19-0416019ea67a", 
    "name": "cors"
}

我們希望用域名地址訪問8000埠或者8443埠

像本範例中這樣的地址格式(假如你申請了一個公網域名contoso.org 固定公網IPv4是 123.125.115.110(一旦公網域名申請下來就把hosts檔案中的contoso.org對應的假公網IP換成申請域名填寫固定公網IPv4地址123.125.115.110(即是替換第一個192.168.10.10),下面第2個192.168.10.10千萬別動它)第2個同樣的IP可不要更改,它永遠不變的作為內網IP地址使用,contoso.com是自定義域名,永遠作為公司內網域名使用,下面截圖中的contoso.org域名是在模擬公網網頁地址,這都是很基礎的東西,本不想囉唆的,就順便解釋一下):

http://contoso.org:8000/v1/books

https://contoso.org:8443/v1/books


上面只是模擬出了公網地址格式的本地訪問,下面是模擬遠端客戶端瀏覽器訪問Kong閘道器暴露出來的book服務


上面即模擬了公網地址格式 又模擬了遠端的客戶端瀏覽器訪問Kong閘道器暴露出來的book服務



[[email protected] ~]# pg_dump -h 127.0.0.1 -p 5432 -U postgres kong > /opt/kong-20180427.bak   # 備份kong資料庫  
Password: 123456  

準備工作終於都準備好了,本篇blog正式進入主題

為book服務的路由{route_id}啟動Basic驗證外掛,我們可以用9種驗證方式來取代basic-auth,
其它8種驗證方式我就不舉例了,真要舉例估計我都能寫一本書,篇幅太多太長了,就不施展了  
URL格式:http://localhost:8001/routes/{route_id}/plugins  
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/routes/42251e97-2921-45ea-bb19-0416019ea67a/plugins \
--data "name=basic-auth" \
--data "config.hide_credentials=true"

HTTP/1.1 201 Created
Date: Sat, 12 May 2018 12:47:11 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526129231000, 
    "config": {
        "hide_credentials": true, 
        "anonymous": ""
    }, 
    "id": "7992d4c5-4a8d-445e-8271-06c46c9f5f5d", 
    "enabled": true, 
    "route_id": "42251e97-2921-45ea-bb19-0416019ea67a", 
    "name": "basic-auth"
}
新增第1個username為jack的消費者,{custom_id}引數可省略,此引數是個自定義唯一標識,  
它作用是把消費者jack對映到另外一個數據庫上  
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=jack"
HTTP/1.1 201 Created
Date: Sat, 12 May 2018 12:48:23 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526129303000, 
    "username": "jack", 
    "id": "61e2ce89-3ebf-4e1f-8fda-3e3cd145a9bd"
}
為第1個使用者jack啟用Basic驗證外掛  
URL格式:http://localhost:8001/consumers/{username or consumer_id}/basic-auth  
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/consumers/jack/basic-auth \
--data "[email protected]" \
--data "password=123456"
HTTP/1.1 201 Created
Date: Sat, 12 May 2018 12:50:05 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526129405000, 
    "id": "ae14ab2f-756e-40be-8c2c-dc45de901760", 
    "username": "[email protected]", 
    "password": "70ee8509541cc3c9062ce62e868f19347d289d72", 
    "consumer_id": "61e2ce89-3ebf-4e1f-8fda-3e3cd145a9bd"
}
線上base64編碼工具http://tool.oschina.net/encrypt?type=3  
鍵-值對{username:password}字串  
[email protected]:123456 左邊的鍵-值對字串BASE64編碼結果為:  
amFja0Bob3RtYWlsLmNvbToxMjM0NTY=  
使用使用者jack的Basic驗證方式訪問書籍資料介面  
[[email protected] ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/3 \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbToxMjM0NTY="
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 63
Connection: keep-alive
Date: Sat, 12 May 2018 12:51:28 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
Vary: Origin
Access-Control-Allow-Origin: http://contoso.com
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: X-Auth-Token
X-Kong-Upstream-Latency: 26
X-Kong-Proxy-Latency: 48
Via: kong/0.13.1

[{"id":3,"title":"The Fashion Image","author":"Thomas Werner"}]
為名稱為book的服務啟用IP白名單限制訪問
其中192.168.10.50表示限制macOS系統這一臺計算機不能訪問book服務
其中192.168.43.0/24表示限制IP地址是192.168.43這一整個網段的IP都不能訪問book服務(Windows 10在此網段內)
URL格式:http://contoso.org:8001/services/{service}/plugins
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/services/book/plugins \
--data "name=ip-restriction"  \

--data "config.whitelist=192.168.10.50, 192.168.43.0/24"

HTTP/1.1 201 Created
Date: Sat, 12 May 2018 12:58:25 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526129906000, 
    "config": {
        "whitelist": [
            "192.168.10.50", 
            "192.168.43.0/24"
        ]
    }, 
    "id": "d3ef0103-9eca-4e20-a845-10cfc2152ca1", 
    "enabled": true, 
    "service_id": "f4c0d700-ce37-4a97-b7c2-21c4f8620510", 
    "name": "ip-restriction"
}
為名稱為book的服務的路由{route_id啟用IP白名單限制訪問
其中192.168.10.50表示限制macOS系統這一臺計算機不能訪問book服務的路由
其中192.168.43.0/24表示限制IP地址是192.168.43這一整個網段的IP都不能訪問book服務的路由(Windows 10在此網段內)
URL格式:http://localhost:8001/routes/{route_id}/plugins
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/routes/42251e97-2921-45ea-bb19-0416019ea67a/plugins \
--data "name=ip-restriction"  \
--data "config.whitelist=192.168.10.50, 192.168.43.0/24"
HTTP/1.1 201 Created
Date: Sat, 12 May 2018 13:01:21 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526130082000, 
    "config": {
        "whitelist": [
            "192.168.10.50", 
            "192.168.43.0/24"
        ]
    }, 
    "id": "bafcf0ad-31dd-4779-aca9-c2dea8384e29", 
    "enabled": true, 
    "route_id": "42251e97-2921-45ea-bb19-0416019ea67a", 
    "name": "ip-restriction"
}

到下面這個命令這兒,在不同作業系統的客戶端各種瀏覽器裡即使用jack的賬號成功登陸也會返回

{"message":"Your IP address is not allowed"} 這條資訊才是與我們預期的結果一致,為什麼這麼說?

因為我還沒有讓登入使用者與IP白名單進行關聯這條命令執行,最後面會演示關聯後的效果(在白名單裡的IP都能訪問book書籍資料介面),只要白名單沒有關聯具體的使用者,那麼現在所有的使用者就都相當於在黑名單當中,大家都不能訪問書籍介面

現在的jack,就相當於在黑名單中,唯一名稱的book服務不允許我們即定義服務的IP白名單又定義IP的黑名單

[[email protected] ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/3 \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbToxMjM0NTY="
HTTP/1.1 403 Forbidden
Date: Sat, 12 May 2018 13:02:26 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1
Vary: Origin
Access-Control-Allow-Origin: http://contoso.com
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: X-Auth-Token

{"message":"Your IP address is not allowed"}

以下命令就是上面提到的最後面會演示關聯後的效果(在白名單裡的IP都能訪問book書籍資料介面)
現在可以使用以下命令將白名單whitelist關聯到消費者jack:
{consumer_id} = 61e2ce89-3ebf-4e1f-8fda-3e3cd145a9bd
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/plugins \
--data "name=ip-restriction" \
--data "consumer_id=61e2ce89-3ebf-4e1f-8fda-3e3cd145a9bd"  \
--data "config.whitelist=192.168.10.50, 192.168.43.0/24"

HTTP/1.1 201 Created
Date: Sat, 12 May 2018 16:07:56 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526141276000, 
    "config": {
        "whitelist": [
            "192.168.10.50", 
            "192.168.43.0/24"
        ]
    }, 
    "id": "fb92b792-d2f2-44be-a8a2-f8d12eed4cb4", 
    "name": "ip-restriction", 
    "enabled": true, 
    "consumer_id": "61e2ce89-3ebf-4e1f-8fda-3e3cd145a9bd"
}
我期望 macOS 系統能夠訪問http://contoso.org:8000/v1/books 原來限制的情形下都能訪問 現在允許macOS訪問 當然就能訪問了 奇怪的是 明明允許Windows 10系統能夠訪問http://contoso.org:8000/v1/books

,但它依然返回{"message":"Your IP address is not allowed"}  這不應該啊 難道我自己玩錯了其中某個步驟 還是官網釋出的東西有問題  我現在得繼續實驗 看看問題出在哪兒了  歡迎大家與我交流 。。。。。。。。。。。。。。。

相關推薦

no