APNS 服务器的 IP 地址范围? [英] IP Address ranges for APNS servers?
问题描述
是否有人拥有 Apple Push Notification Service 使用的所有 IP 地址的完整列表?
Does anyone have a complete list of all IP addresses used by the Apple Push Notification Service?
我知道 Apple 使用内容交付网络来分发这些请求,DNS 查找将返回请求者所在位置附近的服务器 - 我遇到的问题是定位所有这些处理美国内容的服务器.
I know that Apple uses a content delivery network to spread out these requests, and DNS lookups will return servers close to the requestor's location - the problem I have is in locating all of these servers that handle content for the United States.
例如:
$ nslookup gateway.push.apple.com
Non-authoritative answer:
canonical name = gateway.push-apple.com.akadns.net.
Address: 17.172.238.216
Address: 17.172.238.224
Address: 17.172.238.226
等
每次查询 DNS 时此列表都会更改 - 但所有地址似乎都在相同的 17.172.238.x 范围内 - 但不能保证明天或下周我会看到不同的范围.
This list changes every time I query DNS - but all of the addresses seem to be in the same 17.172.238.x range - but there's no guarantee that tomorrow or next week I'll see a different range.
然而,对于测试推送服务器,我已经在不同的子网中获得了结果.有时我会得到一组地址:
For the test push server, however, I already get results in different subnets. Sometimes I get one set of addresses:
$ nslookup gateway.sandbox.push.apple.com
Non-authoritative answer:
canonical name = gateway.sandbox.push-apple.com.akadns.net.
Address: 17.149.34.66
Address: 17.149.34.65
其他时候,我会得到这些地址:
and other times, I'll get these addresses:
Address: 17.172.233.65
Address: 17.172.233.66
我将使用 Apple 推送通知服务的服务器位于公司防火墙之后,我需要为生产和测试网关打开端口 2195 和 2196 -- 但是,我的防火墙团队需要特定的 IP 地址主机名.
My server that will use the Apple Push Notification Service will be behind a corporate firewall, and I'll need to open up ports 2195 and 2196 for the production and test gateways -- however, my firewall team requires specific IP Addresses instead of host names.
我担心,如果我只是要求防火墙团队允许我目前看到的 IP 地址,那么我的服务器将在一天或一周后停止工作,当 DNS 服务器决定提供一个不同的范围.
I'm worried that if I just ask the firewall team to allow the IP Addresses I've seen so far, then my server will simply stop working a day or a week from now when the DNS server decides to serve up a different range.
如果有人有生产和测试环境的完整列表,我将不胜感激.
If anyone has a comprehensive list for both the production and test environments, I'd appreciate it.
更新:我已经尝试要求防火墙团队打开 Apple 的整个 IP 块 (17.0.0.0/8),但他们不会为我这样做——我需要缩小范围地址有点.
Update: I've tried asking the firewall team to open Apple's entire IP block (17.0.0.0/8), but they won't do that for me -- I need to narrow down the addresses a little bit.
最终更新 - 2016 年 10 月 16 日
即使这个问题已经结束,我还是想添加一个注释来解释我的最终解决方案 - 这不是任何寻求答案的人都想听到的.我永远无法超越 CDN 使用的不断变化的地址,所以我最终放弃并从 Rackspace 租用了外部服务器.我得到了尽可能小的服务器,唯一在它上面运行的是一个端口转发器,它侦听 2195 和 2916 并将连接发送到 Apple.
Even though this question is closed, I thought I'd add a note explaining my final solution - and it is not what anyone looking for an answer wants to hear. I could never get ahead of the constantly changing addresses used by the CDN, so I finally gave up and leased an external server from Rackspace. I got the smallest server possible, and the only thing running on it is a port-forwarder that listens on 2195 and 2916 and sends the connections to Apple.
我在 Rackspace 服务器上使用了一个简单的 iptables 配置,只允许从我的公司网关在 2195/2916 上进行连接,然后让我的防火墙团队打开一条通往外部服务器上静态 IP 地址的路径.防火墙团队很高兴,实现了单一路径,外部服务器可以连接到 Apple 使用的整个 17.0.0.0/8 范围.
I used a simple iptables configuration on the Rackspace server to only allow connections on 2195/2916 from my corporate gateway, and then had my firewall team open a path to the static IP address on the external server. The firewall team is happy, with implementing a single path, and the external server can connect to the entire 17.0.0.0/8 range used by Apple.
推荐答案
来自 Apple 的文档(强调添加的有趣部分):
From Apple's documentation (emphasis on the interesting bit added):
推送提供商、iOS 设备和 Mac 计算机通常位于防火墙之后.要发送通知,您需要打开 TCP 端口 2195.要访问反馈服务,您需要打开 TCP 端口 2196.通过 Wi-Fi 连接到推送服务的设备和计算机需要打开 TCP 端口 5223.
Push providers, iOS devices, and Mac computers are often behind firewalls. To send notifications, you will need to have TCP port 2195 open. To reach the feedback service, you will need to have TCP port 2196 open. Devices and computers connecting to the push service over Wi-Fi will need to have TCP port 5223 open.
推送服务的IP地址范围可能会发生变化;期望提供商将通过主机名而不是 IP 地址进行连接.推送服务使用负载平衡方案,为相同的主机名生成不同的 IP 地址.但是,整个 17.0.0.0/8 地址块都分配给 Apple,因此您可以在防火墙规则中指定该范围.
The IP address range for the push service is subject to change; the expectation is that providers will connect by hostname rather than IP address. The push service uses a load balancing scheme that yields a different IP address for the same hostname. However, the entire 17.0.0.0/8 address block is assigned to Apple, so you can specify that range in your firewall rules.
17.0.0.0/8 是 17.0.0.1 到 17.255.255.254 的 CIDR 表示法.
17.0.0.0/8 is CIDR notation for 17.0.0.1 to 17.255.255.254.
这篇关于APNS 服务器的 IP 地址范围?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
