依靠"X-Forwarded-For"安全吗?在使用Cloudflare时通过Apache中的IP限制访问? [英] Is it secure to rely on "X-Forwarded-For" to restrict access by IP in Apache while using Cloudflare?
问题描述
我使用.htaccess文件将目录访问限制为某些IP地址,如下所示:
I'm restricting access to a directory to certain IP addresses using a .htaccess file like this:
AuthType Basic
AuthName "Protected"
<RequireAny>
Require ip 1.2.3.4
</RequireAny>
在正常的服务器设置中可以正常工作,但是当将Cloudflare用作WAF代理时,由于服务器接收到通过Cloudflare的IP代理的所有请求,因此它将停止工作.
That works fine in a normal server setup, however when using Cloudflare as a WAF proxy, it stops working since the server receives all requests proxied through Cloudflare's IP.
作为一种解决方法,可以使用"X-Forwarded-For"标头来标识客户端的真实" IP地址,因为Cloudflare会将其所有请求都传递给该地址:
As a workaround, it's possible to use the "X-Forwarded-For" header to identify the client's "real" IP address, since Cloudflare passes this with all its requests:
AuthType Basic
AuthName "Protected"
SetEnvIf X-Forwarded-For 1.2.3.4$ allowed
<RequireAny>
Require env allowed
</RequireAny>
使用Cloudflare时,这是一种安全的方法还是一种更好/更安全的方法来限制Apache中客户端IP的访问?
Is this a safe approach or is there a better/more secure way to limit access by client IP in Apache when Cloudflare is being used?
推荐答案
根据 IETF RFC 2616,第4.2节中,标头可以包含用逗号分隔的值列表,而X-Forwarded-For就是
According to the IETF RFC 2616, Section 4.2, a header can hold a comma separated list of values, and this is the case of X-Forwarded-For as Cloudflare uses it.
如果请求中已经存在X-Forwarded-For标头 Cloudflare,Cloudflare将HTTP代理的IP地址附加到 标头:
If an X-Forwarded-For header was already present in the request to Cloudflare, Cloudflare appends the IP address of the HTTP proxy to the header:
Example: X-Forwarded-For: 203.0.113.1,198.51.100.101,198.51.100.102
在上面的示例中,203.0.113.1是原始访问者IP地址, 198.51.100.101和198.51.100.102是通过X-Forwarded-For标头提供给Cloudflare的代理服务器IP地址.
In the examples above, 203.0.113.1 is the original visitor IP address and 198.51.100.101 and 198.51.100.102 are proxy server IP addresses provided to Cloudflare via the X-Forwarded-For header.
习惯上将最左边的IP用作真实IP,但这并非总是如此.
It is customary to take the leftmost IP as the real one, but this isn't always the case.
如果您采用这种方式,则应检查与您的IP匹配的正则表达式
If you go this way, you should check for a regex that matches your IP as
SetEnvIf X-Forwarded-For ^1\.2\.3\.4 allowed
(最左侧的IP,转义点)
(leftmost IP, escaping the dots)
Cloudflare还会发送标头cf-connecting-ip(这是在发送到您的计算机之前击中cloudflare的最后一个IP),我宁愿使用该标头.
Cloudflare also sends the header cf-connecting-ip (which is meant to be the last IP to hit cloudflare before being sent to your machine) and I'd rather use that one.
这是一种安全的方法还是有更好/更安全的方法来限制 使用Cloudflare时通过Apache中的客户端IP进行访问?
Is this a safe approach or is there a better/more secure way to limit access by client IP in Apache when Cloudflare is being used?
有一个陷阱.在这种情况下,您要告诉Apache:
There's a catch. In this scenario, you're telling Apache:
我们中间有cloudflare,所以我们不使用您本机的方式告诉访问者的IP,而是让我们看看此自定义标头".
该自定义标头可以伪造.绝对地.因此,您还应该说:
That custom header can be forged. Absolutely. Therefore, you should also say:
如果只有该请求来自Cloudflare IP,则此自定义标头应被视为可靠".
最后,您应该使用 mod_remoteip 而不是手动构建SetEnvIf规则.
Finally, you should use mod_remoteip instead of manually building a SetEnvIf rule.
基本上:
# /etc/apache2/conf-enabled/remoteip.conf
RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxy 173.245.48.0/20
RemoteIPTrustedProxy 103.21.244.0/22
...
RemoteIPTrustedProxy 2606:4700::/32
RemoteIPTrustedProxy 2803:f800::/32
或者,将IP列表放在单独的文件中:
Alternatively, put the IP list in a separate file:
# /etc/apache2/conf-enabled/remoteip.conf
RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxyList conf/trusted-proxies.lst
和
# conf/trusted-proxies.lst
173.245.48.0/20
103.21.244.0/22
...
...
2803:f800::/32
2606:4700::/32
如果请求中没有该标头,则Apache回退到REMOTE_ADDR.来自不受信任的IP的请求也是如此.如果标头存在并且来自Cloudflare,则只需执行以下操作即可:
If said header doesn't come in the request, Apache falls back ro REMOTE_ADDR. Same goes for requests coming from untrusted IPs. If the header is present and comes from Cloudflare, you can simply do:
Require ip 1.2.3.4
此方法可以在需要使用IP的任何地方(日志,身份验证等)替换IP,并在边缘情况下可以轻松地退回到原始的REMOTE_ADDR.
This approach replaces the IP wherever you need to use it (logs, auth, etc) and gracefully falls back to original REMOTE_ADDR in edge cases.
这篇关于依靠"X-Forwarded-For"安全吗?在使用Cloudflare时通过Apache中的IP限制访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
