动态白名单与htaccess的允许形式将IP添加到白名单? [英] Dynamic whitelist with htaccess allowing a form to add an IP to the whitelist?
问题描述
工作在开发网站客户端,我们要拒绝这一切访问,但允许在外出办公会议或从家里(动态IP)的工作容易白名单。
Working on a dev site for a client, we want to deny all access from it, but allow easy whitelisting when out of office for meetings or working from home (dynamic ip).
我们要发生什么,是有一个表格,写入你的IP地址htaccess文件连同上面这说明这是谁或者谁的注释授权的情况等。
What we want to happen, is have a form, that writes your IP address to the htaccess file along with a comment above it stating who this is or who authorized it etc.
没有进入一堆细节,一个简单的密码不会在我们这里工作,让人们监视电子邮件帐户的请求,其客户获得自己的IP地址,像这样的事情只是不会飞。
Without going into a bunch of details, a simple password wont work in our case, having people monitor email accounts for requests, having clients obtain their own IP addresses, things like this just wont fly.
这将是很好的,是允许在htaccess的到期,这些添加的IP地址。所以我想这样复杂的逻辑不会htaccess的本身飞,所以就需要通过第三方软件进行管理,除非任何人有任何其他的想法?
What would be nice, is allowing these added IP addresses in htaccess to expire. So I figure complicated logic like that wont fly in htaccess itself, so it would need to be managed by a 3rd party software, unless anyone has any other ideas?
推荐答案
我建议使用Apache的RewriteMap指令的指令。请注意,使用RewriteMap指令指令,你必须把该指令在httpd.conf和NOT .htaccess文件。您可以通过几种简单的方法,使用它。
I recommend using Apache's RewriteMap directive. Please note that to use the RewriteMap directive you have to place the directive in the httpd.conf and NOT the .htaccess file. You can use it in several simple ways.
纯文本版本,可以让你有保存的IP地址的.txt文件。我添加了一个行注释。这种方式不允许自动过期。
The plain text version allows you to have a .txt file that holds the ip addresses. I added a line for a comment. This way doesn't allow auto expiration.
的httpd.conf
RewriteEngine on
RewriteMap ipmap txt:/path/to/whitelist.txt
RewriteCond ${ipmap:%{REMOTE_ADDR}} !^allow$ [NC]
RewriteRule .* - [F,L]
whitelist.txt
# Chris London added this 2013/06/14
127.0.0.1 allow
123.45.67.89 allow # Some other comment
自定义程序
随着RewriteMap指令,你其实可以有它运行外部程序,但这一带有一些注意事项。我个人没有使用过这种方法特别是PHP脚本。为了使其与PHP脚本工作,我相信,它有无限期运行读取标准输入,并写入标准输出。
Custom Program
With the RewriteMap you can actually have it run an external program but this one comes with some caveats. I personally haven't used this method especially with a PHP script. To make it work with a PHP script, I believe, it has to run indefinitely reading the stdin and writing to the stdout.
RewriteEngine on
RewriteLock /path/to/rewrite.lock
Rewritemap ipmap prg:/path/to/executable.php
RewriteCond ${ipmap:%{REMOTE_ADDR}} !^allow$ [NC]
RewriteRule .* - [F,L]
executable.php
#!/usr/bin/php
<?php
$in = fopen('php://stdin', 'r');
$out = fopen('php://stdout', 'r');
while ($ip = fgets($f)) {
// TODO add better logic
if ($ip == '127.0.0.1') {
fwrite(out, 'allow');
} else {
fwrite(out, 'deny');
}
}
fclose($f);
- 让您重写映射程序越简单越好。如果程序挂起,它会导致的httpd无限期地等待从地图上看,这将反过来导致的httpd停止响应请求的响应。
- 请务必关闭缓冲在你的程序。缓冲I / O会造成的httpd等待输出,所以它会挂起。
- 请记住,这个程序只有一个副本,开始在服务器启动。所有的请求都需要经过这一个瓶颈。这可能会导致显著怠工,如果许多请求都必须经过这个过程,或者脚本本身是很慢的。
我也没有用过这个还没有,但它看起来pretty的整洁。 mod_dbd将需要被配置为点在合适的数据库这个工作。您有去抓取的IP地址的SQL语句,你可以添加一个过滤器的截止日期。
I also haven't used this one yet but it looks pretty neat. mod_dbd will need to be configured to point at the right database for this to work. You have a SQL statement that fetchs the ip addresses and you can add a filter for the expiration date.
RewriteEngine on
RewriteMap ipmap "dbd:SELECT ipaddress FROM rewrite WHERE expiration < TIME() and ipaddress = %s"
RewriteCond ${ipmap:%{REMOTE_ADDR}} !^%{REMOTE_ADDR}$ [NC]
RewriteRule .* - [F,L]
有一对夫妇的其他类型在那里,但这些似乎是你的最佳选择。就像我之前说我,所以我可能说错了话之前没有使用自定义程序或数据库查询。希望在这里另一个用户可能赶上我的错误让这些将全部为你工作。
There are a couple other types out there but these seem to be the best fit for you. Like I said before I haven't used the Custom Program or the DB Query before so I may have said something wrong. Hopefully another user on here may catch my mistake so these will all work for you.
这篇关于动态白名单与htaccess的允许形式将IP添加到白名单?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
