ZF3在将可信代理添加到会话验证器时出现问题

时间:2019-03-29 11:25:14

标签: zend-framework3

我正在MS Azure上托管一个Zend Framework 3网站。会话验证存在问题,因为Azure的应用程序网关充当反向代理,远程地址验证器不喜欢该代理,因此不会读取会话。

我从远程地址的类参考中看到有一种方法setTrustedProxies() 根据文档,我可以将IP地址数组传递给它。但是,我对如何执行此操作实际上并不了解。

我正在global.php中配置session_manager

'session_manager' => [
        // Session validators (used for security).
        'validators' => [
            RemoteAddr::class,
            HttpUserAgent::class,
        ],

    ],

然后,在Module.php中,我使用实例化会话管理器

$sessionManager = $serviceManager->get(SessionManager::class);

然后我尝试使用带有伪造IP的以下内容添加可信代理

$sessionManager = $serviceManager->get(SessionManager::class);
$request        = $serviceManager->get('Request');
$remAdd = $request->getServer()->get('REMOTE_ADDR');
$remoteAddr = new RemoteAdddress($remAdd);
$remoteAddr->setTrustedProxies(['192.98.98.11', '187.2.2.10']);
$remoteAddr->setProxyHeader('X-Forwarded-For');
$remoteAddr->setUseProxy($useProxy = true);
$chain   = $sessionManager->getValidatorChain();
$chain->attach('session.validate', array($remoteAddr, 'isValid'));

我几乎可以肯定这不是正确的方法,但是我找不到有关设置受信任代理的任何在线文档。

如果我这样做

$chain   = $sessionManager->getValidatorChain();
print_r($chain);

添加代理后,我在输出中看不到代理的任何引用

Zend\Session\ValidatorChain Object
(
    [events:protected] => Array
        (
            [session.validate] => Array
                (
                    [1] => Array
                        (
                            [0] => Array
                                (
                                    [0] => Array
                                        (
                                            [0] => Zend\Session\Validator\RemoteAddr Object
                                                (
                                                    [data:protected] => 127.0.0.1
                                                )

                                            [1] => isValid
                                        )

                                )

                        )

                )

        )

    [eventPrototype:protected] => Zend\EventManager\Event Object
        (
            [name:protected] => 
            [target:protected] => 
            [params:protected] => Array
                (
                )

            [stopPropagation:protected] => 
        )

    [identifiers:protected] => Array
        (
        )

    [sharedManager:protected] => 
    [storage:protected] => Zend\Session\Storage\SessionArrayStorage Object
        (
        )

)

正如我所说,我很确定我将以错误的方式进行操作,因此非常感谢您找到正确方法的帮助。

1 个答案:

答案 0 :(得分:2)

我偶然发现了完全相同的问题,仅在我使用CF的情况下。

您的方法是错误的,因为您使用的是Zend \ Http \ PhpEnvironment \ RemoteAddress,而不是替换已加载的验证器Zend \ Session \ Validator \ RemoteAddr。

Zend \ Session \ Validator \ RemoteAddr在内部使用Zend \ Http \ PhpEnvironment \ RemoteAddress,因此您不应使用Zend \ Http \ PhpEnvironment \ RemoteAddress:https://github.com/zendframework/zend-session/blob/master/src/Validator/RemoteAddr.php

这是经过测试的工作代码:

public function onBootstrap(MvcEvent $event)
{
    $application = $event->getApplication();
    $serviceManager = $application->getServiceManager();

    // The following line instantiates the SessionManager and automatically
    // makes the SessionManager the 'default' one to avoid passing the 
    // session manager as a dependency to other models.
    $sessionManager = $serviceManager->get(SessionManager::class);

    $remoteAddr = new \Zend\Session\Validator\RemoteAddr();
    //$remoteAddr->setTrustedProxies([]);
    $remoteAddr->setProxyHeader('CF-Connecting-IP');
    $remoteAddr->setUseProxy(true);


        $current_chain = $sessionManager->getValidatorChain(\Zend\Session\Validator\RemoteAddr::class);

        $current_chain->attach(
                'session.validate',
               [ new \Zend\Session\Validator\HttpUserAgent(), 'isValid' ]
        );

        $current_chain->attach(
                'session.validate',
                [ $remoteAddr, 'isValid' ] 
            );

        $sessionManager->start();

        Container::setDefaultManager($sessionManager);
    }

结果:

Zend\Session\ValidatorChain Object
(
    [events:protected] => Array
        (
            [session.validate] => Array
                (
                    [1] => Array
                        (
                            [0] => Array
                                (
                                    [0] => Array
                                        (
                                            [0] => Zend\Session\Validator\HttpUserAgent Object
                                                (
                                                    [data:protected] => Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36
                                                )

                                            [1] => isValid
                                        )

                                    [1] => Array
                                        (
                                            [0] => Zend\Session\Validator\RemoteAddr Object
                                                (
                                                    [data:protected] => MY_REAL_IP
                                                )

                                            [1] => isValid
                                        )
                                )
                        )
                )
        )
)

我还在https://github.com/zendframework/zend-session/blob/master/src/Validator/RemoteAddr.php函数内添加了 print_r($ remoteAddress); 并使用TrustedProxies进行测试:

/**
 * Returns client IP address.
 *
 * @return string IP address.
 */
protected function getIpAddress()
{
    $remoteAddress = new RemoteAddress();
    $remoteAddress->setUseProxy(static::$useProxy);
    $remoteAddress->setTrustedProxies(static::$trustedProxies);
    $remoteAddress->setProxyHeader(static::$proxyHeader);

    print_r($remoteAddress);

    return $remoteAddress->getIpAddress();
}

结果:

Zend\Http\PhpEnvironment\RemoteAddress Object
(
    [useProxy:protected] => 1
    [trustedProxies:protected] => Array
        (
            [0] => 192.98.98.11
            [1] => 187.2.2.10
        )

    [proxyHeader:protected] => HTTP_CF_CONNECTING_IP
)

结论是setTrustedProxies正在工作,您只是看不到它,因为https://github.com/zendframework/zend-session/blob/master/src/Validator/RemoteAddr.php不会将其返回以使其可见,因为它只是将其传递给Zend \ Http \ PhpEnvironment \ RemoteAddress。

您当然可以完全像您的代码一样覆盖“默认” SessionManager:

$sessionConfig = new SessionConfig();
$sessionConfig->setOptions($config);
$sessionManager = new SessionManager($sessionConfig);

但这只是可选的。