限制国家的网站访问 [英] Restricting website access by country
问题描述
我使用AWS托管我的网站。
该网站是在2个ec2实例上,一个负载平衡器(ELB)平衡它们之间的流量。
目前,我使用我的DNS(路由53)通过使用Route 53的地理位置路由来限制访问网站:
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing -policy.html#routing-policy-geo
(地理位置限制只是为了限制我的网站的初始版本,不是出于安全原因意思是限制只需要为公众工作)
这让我有点担心,因为我的负载均衡器仍然暴露于从任何地方访问。所以我担心我的负载平衡器会被谷歌或某些东西索引,然后我的地区以外的人可以访问该网站。
是否有任何修复这个?我是否通过位置限制访问错误的方式?有没有办法在ELB的安全组中指定它只收到来自我的DNS的入站流量(当然我也必须指定来自边缘位置的入站流量以及我的静态内容,但这不是一个问题)?
注意:选择安全组的入站规则时,可以在类型下选择DNS(UDP)或DNS(TCP )。我尝试为我的ELB为两种DNS类型(和IP地址=任何地方)添加两个规则,但这并不限制通过我的DNS访问ELB。
谢谢。
这个简单的解决方案,在这里,在CloudFront中找到。两个解决方案,实际上是:
CloudFront可以使用其GeoIP数据库为您执行阻止...
当用户请求您的内容时,CloudFront通常会为所请求的内容提供服务,无论用户位于何处。如果您需要阻止某些国家的用户访问您的内容,则可以使用CloudFront地理限制功能[...]
http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html
您可以将CloudFront配置为允许哪些国家/地区被拒绝。您还可以配置存储在S3中的静态页面,这些页面显示为拒绝用户。 (您也可以为可能发生的其他CloudFront错误配置静态自定义错误页面,并将这些页面存储在S3中,如果需要,CloudFront将会将它们提取)。
...或...
CloudFront可以使用将位置信息传回服务器CloudFront-Viewer-Country:标题,您的应用程序代码根据该标题附带的内容可以进行阻止。传入的请求看起来像这样(为清楚起见,某些标题为绿色或移除):
GET / HTTP / 1.1
主机:example.com
X-Amz-Cf-Id:3fkkTxKhNxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ==
Via:1.1 cb76b079000000000000000000000000.cloudfront.net(CloudFront)
CloudFront-Viewer-Country:US
CloudFront-Forwarded-Proto:https
接受编码:gzip
CloudFront缓存响应 请求的页面与查看者的国家/地区以及任何其他列入白名单的头文件的组合,因此它将独立地正确地缓存您拒绝的响应以及允许的响应。
更多关于如何启用 CloudFront-Viewer-Country:标题:
如果您希望CloudFront根据请求所在的国家/地区缓存不同版本的对象,请配置CloudFront将CloudFront-Viewer-Country标头转发到您的起始。 CloudFront自动将请求的IP地址转换为双字母的国家/地区代码。
或者,当然,您可以启用这两个功能,让CloudFront进行阻止,同时仍然将您的应用程序提供给国家/地区代码,允许通过。
但是,如何解决这个问题,您的负载平衡器仍然向世界敞开?
CloudFront最近也使用自定义原始标题解决了这个问题。这些是通过CloudFront发送到您的原始服务器的秘密自定义标头,每个请求。
您可以通过CloudFront识别转发到您的自定义来源的请求。如果您想知道用户是否绕过CloudFront [...]
http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/forward-custom-headers.html
所以,假设你向CloudFront添加了一个自定义标题:
X-Yes-This-Request-Is-Legit:TE9MIHdoYXQgd2VyZSB5b3UgZXhwZWN0aW5nIHRvIHNlZT8 =
不要使用上述秘密,当然...组成自己的。这是完全任意的。 适用于任何的注意事项GeoIP限制策略:它不是完善。 CloudFront 声明99.8%的准确性。 I am hosting my website using AWS. The website is on 2 ec2 instances, with a load balancer (ELB) balancing traffic between them. Currently, I am using my DNS (Route 53) to restrict the access to the website by using Route 53's geolocation routing:
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html#routing-policy-geo (The geolocation restriction is just to limit the initial release of my website. It is not for security reasons. Meaning the restriction just needs to work for the general public) This worries me a little because my load balancer is still exposed to access from everywhere. So I am concerned that my load balancer will get indexed by google or something and then people outside of my region will be able to access the site. Are there any fixes for this? Am I restricting access by location the wrong way? Is there a way perhaps to specify in the ELB's security group that it only receive inbound traffic from my DNS (of course then I would also have to specify that inbound traffic from edge locations be allowed as well for my static content but this is not a problem)? Note: There is an option when selecting inbound rules for a security group, under "type" to select "DNS(UDP)" or "DNS(TCP)". I tried adding two rules for both DNS types (and IP Address="anywhere") for my ELB but this did not limit access to the ELB to be solely through my DNS. Thank you. The simple solution, here, is found in CloudFront. Two solutions, actually: CloudFront can use its GeoIP database to do the blocking for you... When a user requests your content, CloudFront typically serves the requested content regardless of where the user is located. If you need to prevent users in specific countries from accessing your content, you can use the CloudFront geo restriction feature[...] http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html You can configure CloudFront with which countries are allowed, or which are denied. You can also configure static pages, stored in S3, which are displayed to denied users. (You can also configure static custom error pages for other CloudFront errors that might occur, and store those pages in S3 as well, where CloudFront will fetch them if it ever needs them). ...or... CloudFront can pass the location information back to your server using the CloudFront caches the responses against the combination of the requested page and the viewer's country, and any other whitelisted headers, so it will correctly cache your denied responses as well as your allowed responses, independently. Here's more about how you enable the If you want CloudFront to cache different versions of your objects based on the country that the request came from, configure CloudFront to forward the CloudFront-Viewer-Country header to your origin. CloudFront automatically converts the IP address that the request came from into a two-letter country code. Or, of course, you can enable both features, letting CloudFront do the blocking, while still giving your app a heads-up on the country codes for the locations that were allowed through. But how do you solve the issue with the fact that your load balancer is still open to the world? CloudFront has recently solved this one, too, with Custom Origin Headers. These are secret custom headers sent to your origin server, by CloudFront, with each request. You can identify the requests that are forwarded to your custom origin by CloudFront. This is useful if you want to know whether users are bypassing CloudFront[...] http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/forward-custom-headers.html So, let's say you added a custom header to CloudFront: What's all that line noise? Nothing, really, just a made up secret value that only your server and CloudFront know about. Configure your web server so that if this header and value are not present in the incoming request, then access is denied -- this is a request that didn't pass through CloudFront. Don't use the above secret, of course... make up your own. It's entirely arbitrary. Caveat applicable to any GeoIP-restricting strategy: it isn't perfect. CloudFront claims 99.8% accuracy. 这篇关于限制国家的网站访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
CloudFront-Viewer-Country: header, and your application code, based on the contents accompanying that header, can do the blocking. The incoming request looks something like this (some headers munged or removed for clarity):GET / HTTP/1.1
Host: example.com
X-Amz-Cf-Id: 3fkkTxKhNxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
Via: 1.1 cb76b079000000000000000000000000.cloudfront.net (CloudFront)
CloudFront-Viewer-Country: US
CloudFront-Forwarded-Proto: https
Accept-Encoding: gzip
CloudFront-Viewer-Country: header:
X-Yes-This-Request-Is-Legit: TE9MIHdoYXQgd2VyZSB5b3UgZXhwZWN0aW5nIHRvIHNlZT8=
