我正在MS Azure上托管一个Zend Framework 3网站。会话验证存在问题,因为Azure的应用程序网关充当反向代理,远程地址验证器不喜欢该代理,因此不会读取会话。
我从远程地址的类参考中看到有一种方法setTrustedProxies()
根据文档,我可以将IP地址数组传递给它。但是,我对如何执行此操作实际上并不了解。
我正在global.php中配置session_manager
'session_manager' => [
// Session validators (used for security).
'validators' => [
RemoteAddr::class,
HttpUserAgent::class,
],
],
然后,在Module.php中,我使用实例化会话管理器
$sessionManager = $serviceManager->get(SessionManager::class);
然后我尝试使用带有伪造IP的以下内容添加可信代理
$sessionManager = $serviceManager->get(SessionManager::class);
$request = $serviceManager->get('Request');
$remAdd = $request->getServer()->get('REMOTE_ADDR');
$remoteAddr = new RemoteAdddress($remAdd);
$remoteAddr->setTrustedProxies(['192.98.98.11', '187.2.2.10']);
$remoteAddr->setProxyHeader('X-Forwarded-For');
$remoteAddr->setUseProxy($useProxy = true);
$chain = $sessionManager->getValidatorChain();
$chain->attach('session.validate', array($remoteAddr, 'isValid'));
我几乎可以肯定这不是正确的方法,但是我找不到有关设置受信任代理的任何在线文档。
如果我这样做
$chain = $sessionManager->getValidatorChain();
print_r($chain);
添加代理后,我在输出中看不到代理的任何引用
Zend\Session\ValidatorChain Object
(
[events:protected] => Array
(
[session.validate] => Array
(
[1] => Array
(
[0] => Array
(
[0] => Array
(
[0] => Zend\Session\Validator\RemoteAddr Object
(
[data:protected] => 127.0.0.1
)
[1] => isValid
)
)
)
)
)
[eventPrototype:protected] => Zend\EventManager\Event Object
(
[name:protected] =>
[target:protected] =>
[params:protected] => Array
(
)
[stopPropagation:protected] =>
)
[identifiers:protected] => Array
(
)
[sharedManager:protected] =>
[storage:protected] => Zend\Session\Storage\SessionArrayStorage Object
(
)
)
正如我所说,我很确定我将以错误的方式进行操作,因此非常感谢您找到正确方法的帮助。
答案 0 :(得分:2)
我偶然发现了完全相同的问题,仅在我使用CF的情况下。
您的方法是错误的,因为您使用的是Zend \ Http \ PhpEnvironment \ RemoteAddress,而不是替换已加载的验证器Zend \ Session \ Validator \ RemoteAddr。
Zend \ Session \ Validator \ RemoteAddr在内部使用Zend \ Http \ PhpEnvironment \ RemoteAddress,因此您不应使用Zend \ Http \ PhpEnvironment \ RemoteAddress:https://github.com/zendframework/zend-session/blob/master/src/Validator/RemoteAddr.php
这是经过测试的工作代码:
public function onBootstrap(MvcEvent $event)
{
$application = $event->getApplication();
$serviceManager = $application->getServiceManager();
// The following line instantiates the SessionManager and automatically
// makes the SessionManager the 'default' one to avoid passing the
// session manager as a dependency to other models.
$sessionManager = $serviceManager->get(SessionManager::class);
$remoteAddr = new \Zend\Session\Validator\RemoteAddr();
//$remoteAddr->setTrustedProxies([]);
$remoteAddr->setProxyHeader('CF-Connecting-IP');
$remoteAddr->setUseProxy(true);
$current_chain = $sessionManager->getValidatorChain(\Zend\Session\Validator\RemoteAddr::class);
$current_chain->attach(
'session.validate',
[ new \Zend\Session\Validator\HttpUserAgent(), 'isValid' ]
);
$current_chain->attach(
'session.validate',
[ $remoteAddr, 'isValid' ]
);
$sessionManager->start();
Container::setDefaultManager($sessionManager);
}
结果:
Zend\Session\ValidatorChain Object
(
[events:protected] => Array
(
[session.validate] => Array
(
[1] => Array
(
[0] => Array
(
[0] => Array
(
[0] => Zend\Session\Validator\HttpUserAgent Object
(
[data:protected] => Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36
)
[1] => isValid
)
[1] => Array
(
[0] => Zend\Session\Validator\RemoteAddr Object
(
[data:protected] => MY_REAL_IP
)
[1] => isValid
)
)
)
)
)
)
我还在https://github.com/zendframework/zend-session/blob/master/src/Validator/RemoteAddr.php函数内添加了 print_r($ remoteAddress); 并使用TrustedProxies进行测试:
/**
* Returns client IP address.
*
* @return string IP address.
*/
protected function getIpAddress()
{
$remoteAddress = new RemoteAddress();
$remoteAddress->setUseProxy(static::$useProxy);
$remoteAddress->setTrustedProxies(static::$trustedProxies);
$remoteAddress->setProxyHeader(static::$proxyHeader);
print_r($remoteAddress);
return $remoteAddress->getIpAddress();
}
结果:
Zend\Http\PhpEnvironment\RemoteAddress Object
(
[useProxy:protected] => 1
[trustedProxies:protected] => Array
(
[0] => 192.98.98.11
[1] => 187.2.2.10
)
[proxyHeader:protected] => HTTP_CF_CONNECTING_IP
)
结论是setTrustedProxies正在工作,您只是看不到它,因为https://github.com/zendframework/zend-session/blob/master/src/Validator/RemoteAddr.php不会将其返回以使其可见,因为它只是将其传递给Zend \ Http \ PhpEnvironment \ RemoteAddress。
您当然可以完全像您的代码一样覆盖“默认” SessionManager:
$sessionConfig = new SessionConfig();
$sessionConfig->setOptions($config);
$sessionManager = new SessionManager($sessionConfig);
但这只是可选的。