反向代理（或应用程序网关）ip地址信任 [英] reverse proxy (or application gateway) ip address to trust

问题描述

对于我主持的PHP Web应用程序，我需要设置"可信代理"，因此底层框架（Drupal 8，Symfony）将使用原始客户端的IP地址作为HTTP请求的发送方IP地址。

For a PHP web app I host I need to set a "trusted proxy", so the underlying framework (Drupal 8, Symfony) will use the originating client's IP address as the sender IP address for the HTTP request.

有关详细信息，请参阅https：//symfony.com/doc/4.1/deployment/proxies.html 

See https://symfony.com/doc/4.1/deployment/proxies.html for more info.

使用App Service ，我的应用程序服务是由Azure创建的一些代理，它是我不可知的。目前，它的IP地址是172.19.0.1，托管应用程序的机器的IP地址是172.19.0.2。

With App Service, my app service is fronted by some proxy created by Azure which I'm agnostic of. At the moment, it's IP address is 172.19.0.1 and the IP address of the machine hosting the app is 172.19.0.2.

现在我可以（现在很容易）硬编码这个IP成为值得信赖的代理。但我宁愿从环境中获取代理服务器的IP地址。万一它将来会发生变化。任何人都可以告诉我这是否可能并且支持吗？

Now I could (and currently am) easily hard code this IP to be a trusted proxy. But I'd rather get the proxy server's IP address from the environment. In case it changes in the future. Can anyone tell me if this is possible and supported?

推荐答案

假设您的应用服务没有其他Azure产品（流量管理器，网关等）每个应用服务都有两种类型的IP地址（入站和出站）。可以在应用的属性边栏下查看这些IP地址。

Assuming you have your app service with no other Azure products (Traffic manager, Gateway, etc.) each app service has two types of IP addresses (inbound and outbound). These IP addresses can be viewed under the properties blade of your app.

传入的流量应该流经入站IP地址（在"出站IP"下列出的第一个IP地址，或者在VIP下列出的IP地址）您设置基于IP的SSL绑定）。唯一的静态入站IP地址是VIP（基于IP的SSL证书），否则入站
IP地址不被视为静态。

Incoming traffic should flow through the inbound IP address (the first IP address listed under 'outbound IPs' or listed under VIP if you set a IP based SSL binding). The only static inbound IP address is the VIP (IP based SSL cert) otherwise the inbound IP address is not considered static.

关于出站IP地址，流量可以将您的应用留在这些地址数组中。虽然我们通常不会因为中断的程度而删除IP地址，但Microsoft确实保留根据需要添加/删除出站IP
的权利。因此，我们并未正式将出站IP视为静态IP。更大的问题不是IP将被删除，但我们通常会在App Services增长时添加更多IP。

In regards to the outbound IP addresses, traffic can leave your app across these array of addresses. While we typically do not remove IP addresses due to the level of disruption it would cause, Microsoft does reserve the right to add/remove outbound IPs as necessary. As a result, we do not officially consider outbound IPs to be static. The bigger concern is not that an IP will be removed but we do typically add more IPs as App Services grows.

我希望这可以清楚地说明您的应用服务使用的IP地址以及是否或不是它们被认为是静态的。

I hope this provides some clarity on the IP addresses your app service uses and whether or not they are considered static.

这篇关于反向代理（或应用程序网关）ip地址信任的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！