按国家/地区限制网站访问 [英] Restricting website access by country

查看:53
本文介绍了按国家/地区限制网站访问的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我使用 AWS 托管我的网站.

I am hosting my website using AWS.

该网站位于 2 个 ec2 实例上,负载均衡器 (ELB) 在​​它们之间平衡流量.

The website is on 2 ec2 instances, with a load balancer (ELB) balancing traffic between them.

目前,我正在使用我的 DNS (Route 53) 通过使用 Route 53 的地理定位路由来限制对网站的访问:http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html#routing-policy-geo

Currently, I am using my DNS (Route 53) to restrict the access to the website by using Route 53's geolocation routing: http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html#routing-policy-geo

(地理定位限制只是为了限制我网站的初始发布.不是出于安全原因.意味着限制只需要对公众有效)

(The geolocation restriction is just to limit the initial release of my website. It is not for security reasons. Meaning the restriction just needs to work for the general public)

这让我有点担心,因为我的负载均衡器仍然可以从任何地方访问.所以我担心我的负载均衡器会被谷歌或其他东西编入索引,然后我所在地区以外的人将能够访问该网站.

This worries me a little because my load balancer is still exposed to access from everywhere. So I am concerned that my load balancer will get indexed by google or something and then people outside of my region will be able to access the site.

有什么解决办法吗?我是否以错误的方式限制按位置访问?有没有办法在 ELB 的安全组中指定它只接收来自我的 DNS 的入站流量(当然,那么我还必须指定允许来自边缘位置的入站流量以及我的静态内容,但这不是问题)?

Are there any fixes for this? Am I restricting access by location the wrong way? Is there a way perhaps to specify in the ELB's security group that it only receive inbound traffic from my DNS (of course then I would also have to specify that inbound traffic from edge locations be allowed as well for my static content but this is not a problem)?

注意:为安全组选择入站规则时有一个选项,在类型"下选择DNS(UDP)"或DNS(TCP)".我尝试为我的 ELB 为两种 DNS 类型(和 IP 地址 =任何地方")添加两个规则,但这并没有限制对 ELB 的访问只能通过我的 DNS.

Note: There is an option when selecting inbound rules for a security group, under "type" to select "DNS(UDP)" or "DNS(TCP)". I tried adding two rules for both DNS types (and IP Address="anywhere") for my ELB but this did not limit access to the ELB to be solely through my DNS.

谢谢.

推荐答案

CloudFront 中提供了简单的解决方案.两种解决方案,实际上:

The simple solution, here, is found in CloudFront. Two solutions, actually:

CloudFront 可以使用它的 GeoIP 数据库来为你做阻止......

CloudFront can use its GeoIP database to do the blocking for you...

当用户请求您的内容时,无论用户位于何处,CloudFront 通常都会提供请求的内容.如果您需要阻止特定国家/地区的用户访问您的内容,您可以使用 CloudFront 地理限制功能[...]

When a user requests your content, CloudFront typically serves the requested content regardless of where the user is located. If you need to prevent users in specific countries from accessing your content, you can use the CloudFront geo restriction feature[...]

http://docs.aws.amazon.com/AmazonCloudFront/最新/DeveloperGuide/georestrictions.html

您可以将 CloudFront 配置为允许或拒绝哪些国家/地区.您还可以配置存储在 S3 中的静态页面,这些页面显示给被拒绝的用户.(您还可以为可能发生的其他 CloudFront 错误配置静态自定义错误页面,并将这些页面也存储在 S3 中,CloudFront 将在需要时获取它们).

You can configure CloudFront with which countries are allowed, or which are denied. You can also configure static pages, stored in S3, which are displayed to denied users. (You can also configure static custom error pages for other CloudFront errors that might occur, and store those pages in S3 as well, where CloudFront will fetch them if it ever needs them).

...或...

CloudFront 可以使用 CloudFront-Viewer-Country: 标头将位置信息传回您的服务器,并且您的应用程序代码可以根据该标头附带的内容进行阻止.传入的请求看起来像这样(为了清楚起见,一些标头被删除或删除):

CloudFront can pass the location information back to your server using the CloudFront-Viewer-Country: header, and your application code, based on the contents accompanying that header, can do the blocking. The incoming request looks something like this (some headers munged or removed for clarity):

GET / HTTP/1.1
Host: example.com
X-Amz-Cf-Id: 3fkkTxKhNxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
Via: 1.1 cb76b079000000000000000000000000.cloudfront.net (CloudFront)
CloudFront-Viewer-Country: US
CloudFront-Forwarded-Proto: https
Accept-Encoding: gzip

CloudFront 缓存针对请求页面和查看者所在国家/地区的组合以及任何其他列入白名单的标头的响应,因此它会独立地正确缓存您拒绝的响应和允许的响应.

CloudFront caches the responses against the combination of the requested page and the viewer's country, and any other whitelisted headers, so it will correctly cache your denied responses as well as your allowed responses, independently.

以下是有关如何启用 CloudFront-Viewer-Country: 标头的更多信息:

Here's more about how you enable the CloudFront-Viewer-Country: header:

如果您希望 CloudFront 根据请求来自的国家/地区缓存不同版本的对象,请将 CloudFront 配置为将 CloudFront-Viewer-Country 标头转发到您的源.CloudFront 自动将请求来自的 IP 地址转换为两个字母的国家/地区代码.

If you want CloudFront to cache different versions of your objects based on the country that the request came from, configure CloudFront to forward the CloudFront-Viewer-Country header to your origin. CloudFront automatically converts the IP address that the request came from into a two-letter country code.

http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html#header-caching-web-location

或者,当然,您可以启用这两个功能,让 CloudFront 进行阻止,同时仍然让您的应用了解允许通过的位置的国家/地区代码.

Or, of course, you can enable both features, letting CloudFront do the blocking, while still giving your app a heads-up on the country codes for the locations that were allowed through.

但是您如何解决负载均衡器仍然对外开放的问题?

But how do you solve the issue with the fact that your load balancer is still open to the world?

CloudFront 最近也通过自定义源头解决了这个问题.这些是 CloudFront 随每个请求发送到您的源服务器的秘密自定义标头.

CloudFront has recently solved this one, too, with Custom Origin Headers. These are secret custom headers sent to your origin server, by CloudFront, with each request.

您可以识别由 CloudFront 转发到您的自定义源的请求.如果您想知道用户是否绕过 CloudFront[...]

You can identify the requests that are forwarded to your custom origin by CloudFront. This is useful if you want to know whether users are bypassing CloudFront[...]

http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/forward-custom-headers.html

因此,假设您向 CloudFront 添加了自定义标头:

So, let's say you added a custom header to CloudFront:

X-Yes-This-Request-Is-Legit: TE9MIHdoYXQgd2VyZSB5b3UgZXhwZWN0aW5nIHRvIHNlZT8=

那是什么线路噪音?没有什么,真的,只是一个只有您的服务器和 CloudFront 知道的虚构的秘密值.配置您的 Web 服务器,以便如果传入请求中不存在此标头和值,则拒绝访问 -- 这是一个未通过 CloudFront 的请求.

What's all that line noise? Nothing, really, just a made up secret value that only your server and CloudFront know about. Configure your web server so that if this header and value are not present in the incoming request, then access is denied -- this is a request that didn't pass through CloudFront.

不要使用上面的秘密,当然……自己编造.这完全是随意的.

Don't use the above secret, of course... make up your own. It's entirely arbitrary.

警告适用于任何 GeoIP 限制策略:它并不完美.CloudFront 声称准确率为 99.8%.

Caveat applicable to any GeoIP-restricting strategy: it isn't perfect. CloudFront claims 99.8% accuracy.

这篇关于按国家/地区限制网站访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆