Apache ProxyPass仅允许来自Pingdom IPv4地址

时间:2019-02-05 16:05:42

标签: apache proxypass pingdom

我有一个带有ProxyPass / ProxyPassReverse的apache2 vHost配置,需要限制对某些静态IP地址和所有Pingdom IP地址的访问。

Pingdom IP地址列表是每行一个IP地址的文件列表:

5.172.196.188
5.178.78.77
13.232.220.164
23.22.2.46
23.83.129.219
23.111.152.74
.
.
.

完整的IP地址列表可在https://my.pingdom.com/probes/ipv4上找到。

我已经下载了Pingdom IP地址列表,因为我没有找到直接从其网站读取列表的任何解决方案。

只要我没有配置Allow from env=PINGDOM,Allow / Deny就会按预期工作。添加上述配置行后,所有客户端IP地址都可以访问该站点。

<VirtualHost *:443>
        ServerAdmin contact@example.com
        ServerName site.example.com

        RewriteEngine on
        RewriteMap allowed "txt:/var/www/pingdom_ip_addresses"
        UnsetEnv PINGDOM
        RewriteCond ${allowed:%{REMOTE_ADDR}} ""
        RewriteRule ^ - [E=PINGDOM]

    <Proxy *>
        Order Deny,Allow
        Deny from all
        # Static IPs
        Allow from 1.2.3.10/32
        Allow from 1.2.3.20/32
        # Pingdom
        Allow from env=PINGDOM
    </Proxy>

        ProxyRequests           Off
        ProxyPreserveHost       On
        ProxyPass               / http://localhost:8080/example-site/
        ProxyPassReverse        / http://localhost:8080/example-site/

        SSLEngine ON
        SSLCertificateFile /etc/letsencrypt/live/site.example.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/site.example.com/privkey.pem
</VirtualHost>

在这里找到了类似的解决方案:https://stackoverflow.com/a/53012839

但是,在IP地址列表文件中,每个IP地址旁边确实有一个1。 Pingdom列表没有这个。

我的规则如何看起来像预期的那样工作?

1 个答案:

答案 0 :(得分:0)

我找到了可行的解决方案。

我已经配置了以下cronjob来每小时获取当前的Pingdom探针IPv4列表:

PATH=/usr/local/bin:/usr/bin:/bin

0 * * * * www-data wget -t 1 -T 1 https://my.pingdom.com/probes/ipv4 -q -O - | sed -e 's/$/ 1/' > /var/www/pingdom_ip_addresses

Apache vHost配置现在看起来像这样:

<VirtualHost *:443>
        ServerAdmin contact@example.com
        ServerName site.example.com

        RewriteEngine on
        UnsetEnv PINGDOM
        RewriteMap allowed "txt:/var/www/pingdom_ip_addresses"
        RewriteCond ${allowed:%{REMOTE_ADDR}} 1
        RewriteRule ^ - [E=PINGDOM]

        <Proxy *>
                Order Deny,Allow
                Deny from all
                # Static IPs
                Allow from 1.2.3.10/32
                Allow from 1.2.3.20/32
                # Pingdom
                Allow from env=PINGDOM
        </Proxy>

        ProxyRequests           Off
        ProxyPreserveHost       On
        ProxyPass               / http://localhost:8080/example-site/
        ProxyPassReverse        / http://localhost:8080/example-site/

        SSLEngine ON
        SSLCertificateFile /etc/letsencrypt/live/site.example.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/site.example.com/privkey.pem
</VirtualHost>
相关问题
最新问题