开发环境下如何进行安全加固呢
<p>由于公司机房和办公环境是在一起的,默认情况下公司出口IP是禁止80/443访问【运营商侧有限制】。目前采用的是阿里云进行中转,即将开发环境的域名解析到阿里云,然后通过Nginx反向代理到公司出口非80端口。开发环境部分接口涉及到第三方回调和校验,所以完全禁止开发环境对外网访问不现实。
</p>
<p>
<img title="开发环境下如何进行安全加固呢" alt="开发环境下如何进行安全加固呢" border="0" src="https://zhuji.jb51.net/uploads/img/202305/65fa1412703887425d3223442dceb168.jpg"></p>
<p>
目前合理的需求如下:
</p>
<ol>
<li>
公司网络地址段可以访问开发环境不受限制
</li>
<li>
允许部分第三方IP地址段加入白名单
</li>
<li>
若第三方IP不固定,需支持第三方回调的URL加入白名单
</li>
<li>
不在上述条件内全部禁止外网访问。
</li>
</ol>
<p>
面对上述简单的需求场景,我们如何实现呢?
</p>
<p>
方案一:采用防火墙白名单策略进行实现,目前看只能实现 1 和 2 的条件
</p>
<p>
方案二:采用Nginx的allow、deny等策略,目前看也只能实现 1 和 2 的条件
</p>
<p>
方案三:采用Nginx+Lua 通过access_by_lua_file策略,目前看能实现上述所有条件而且实现起来比较简单,改造成本较小。
</p>
<ol>
<li>
在Nginx的server层配置:access_by_lua_file 'scripts/filter_white.lua'
</li>
<li>
filter_white.lua 脚本配置信息:
</li>
</ol>
<ol class="dp-sql">
<li class="alt">
<span><span>root@develop:/usr/</span><span class="keyword">local</span><span>/nginx/scripts# cat filter_white.lua </span></span>
</li>
<li>
<span><span class="comment">-- 默认配置</span><span> </span></span>
</li>
<li class="alt">
<span><span class="keyword">local</span><span> redis = require </span><span class="string">'resty.redis'</span><span> </span></span>
</li>
<li>
<span><span class="keyword">local</span><span> allow = </span><span class="keyword">false</span><span> </span></span>
</li>
<li class="alt">
<span></span>
</li>
<li>
<span><span class="comment">-- 连接Redis</span><span> </span></span>
</li>
<li class="alt">
<span><span class="keyword">local</span><span> red = redis:new() </span></span>
</li>
<li>
<span><span class="keyword">local</span><span> ok, err = red:</span><span class="keyword">connect</span><span>(</span><span class="string">'172.17.173.183'</span><span>, 26379) </span></span>
</li>
<li class="alt">
<span>if <span class="op">not</span><span> ok </span><span class="keyword">then</span><span> </span></span>
</li>
<li>
<span>ngx.log(ngx.ERR, <span class="string">'connect to redis failed: '</span><span> .. err) </span></span>
</li>
<li class="alt">
<span><span class="keyword">end</span><span> </span></span>
</li>
<li>
<span></span>
</li>
<li class="alt">
<span><span class="keyword">local</span><span> res, err = red:auth(</span><span class="string">'Huajianghu@123'</span><span>) </span></span>
</li>
<li>
<span>if <span class="op">not</span><span> res </span><span class="keyword">then</span><span> </span></span>
</li>
<li class="alt">
<span>ngx.log(ngx.ERR, <span class="string">'failed to authenticate: '</span><span> .. err) </span></span>
</li>
<li>
<span><span class="keyword">end</span><span> </span></span>
</li>
<li class="alt">
<span></span>
</li>
<li>
<span><span class="comment">-- 过滤精确IP</span><span> </span></span>
</li>
<li class="alt">
<span><span class="comment">--if red:sismember('white:dev:ip', ngx.var.remote_addr) == 1 then</span><span> </span></span>
</li>
<li>
<span><span class="comment">-- allow = true</span><span> </span></span>
</li>
<li class="alt">
<span><span class="comment">--end</span><span> </span></span>
</li>
<li>
<span></span>
</li>
<li class="alt">
<span><span class="comment">-- 过滤IP地址段</span><span> </span></span>
</li>
<li>
<span><span class="keyword">local</span><span> iputils = require(</span><span class="string">"resty.iputils"</span><span>) </span></span>
</li>
<li class="alt">
<span>iputils.enable_lrucache() </span>
</li>
<li>
<span><span class="keyword">local</span><span> white_ips =red:smembers(</span><span class="string">'white:dev:ip'</span><span>) </span></span>
</li>
<li class="alt">
<span><span class="keyword">local</span><span> whitelist = iputils.parse_cidrs(white_ips) </span></span>
</li>
<li>
<span>if iputils.ip_in_cidrs(ngx.var.remote_addr, whitelist) <span class="keyword">then</span><span> </span></span>
</li>
<li class="alt">
<span>allow = <span class="keyword">true</span><span> </span></span>
</li>
<li>
<span><span class="keyword">end</span><span> </span></span>
</li>
<li class="alt">
<span></span>
</li>
<li>
<span><span class="comment">-- 过滤URL</span><span> </span></span>
</li>
<li class="alt">
<span>if <span class="op">not</span><span> allow </span><span class="keyword">then</span><span> </span></span>
</li>
<li>
<span><span class="keyword">local</span><span> url = ngx.var.http_host .. ngx.var.uri </span></span>
</li>
<li class="alt">
<span><span class="keyword">local</span><span> white_urls = red:smembers(</span><span class="string">'white:dev:url'</span><span>) </span></span>
</li>
<li>
<span><span class="keyword">for</span><span> </span><span class="keyword">index</span><span>, white_url </span><span class="op">in</span><span> ipairs(white_urls) do </span></span>
</li>
<li class="alt">
<span>if url:match(white_url) <span class="keyword">then</span><span> </span></span>
</li>
<li>
<span>allow = <span class="keyword">true</span><span> </span></span>
</li>
<li class="alt">
<span>break </span>
</li>
<li>
<span><span class="keyword">end</span><span> </span></span>
</li>
<li class="alt">
<span><span class="keyword">end</span><span> </span></span>
</li>
<li>
<span><span class="keyword">end</span><span> </span></span>
</li>
<li class="alt">
<span></span>
</li>
<li>
<span><span class="comment">-- 默认策略</span><span> </span></span>
</li>
<li class="alt">
<span>if <span class="op">not</span><span> allow </span><span class="keyword">then</span><span> </span></span>
</li>
<li>
<span>ngx.log(ngx.ERR, <span class="string">"not allow: "</span><span> .. ngx.var.http_host .. ngx.var.uri) </span></span>
</li>
<li class="alt">
<span>ngx.status = ngx.HTTP_FORBIDDEN </span>
</li>
<li>
<span>ngx.say(<span class="string">'请申请白名单'</span><span>) </span></span>
</li>
<li class="alt">
<span>ngx.exit(200) </span>
</li>
<li>
<span><span class="keyword">end</span><span> </span></span>
</li>
</ol>
<p>
3.此脚本仅供参考使用,特殊场景需要进行修改lua脚本
</p>
<p>
原文链接:https://www.toutiao.com/a7036249978200801830/
</p>
頁:
[1]