IP audit 记录
产品中为了合规,会加上audit功能,记录用户操作的内容,从这个功能上,考虑问题。
场景,目前通过azure的Gateway到产品pord当中。通过sso登录。
前端的code
const header ={
Authorization:`Bearer ${token}`,
// ri: loginInfo.refreshToken,
efl: loginInfo.EnabledForceLogined?'1':'0',
sod: loginInfo.SessionOutDuration
};
let ip ='';
if(requestIP.forwardedFor){
ip = requestIP.forwardedFor;
}elseif(c){
ip = requestIP.realIp;
}else{
ip = requestIP.remoteAddress;
}
if(ip){
header['login-ip']= ip;
}service的Code
publicstaticstringGetClientIP()
{
string str;
try
{
Microsoft.Extensions.Primitives.StringValues loginip =WebContext.Current.Request.Headers["login-ip"];
if(loginip.IsNotNullOrEmpty())
{
returnProcessingIP(loginip);
}
Microsoft.Extensions.Primitives.StringValues forwardedFor =WebContext.Current.Request.Headers["X-Forwarded-For"];
str = forwardedFor.IsNotNullOrEmpty()?ProcessingIP(forwardedFor):GetIP();
}
catch
{
str ="";
}
str = str.Contains("::ffff:")? str.Replace("::ffff:",""): str;
return str.IsIpAddress()? str :string.Empty;
}
publicstaticstringProcessingIP(string ipValue)
{
string ipstr = ipValue.ToString().Split(',').FirstOrDefault();
return ipstr !=null&& ipstr.Contains(':')? ipstr.Split(':').FirstOrDefault(): ipstr;
}这里看着是像自定义的code,通过增加这几个header是可以在audit中进行任意修改IP记录的,但是实际中仅有login-ip是有效的。
分析一波。
这个功能由来,根据原文件的注释可以知道是
由于登录使用SSO,在SSO跳转之后获取不到浏览器真实IP,所以由UI保存浏览器IP 在login时传到后台作为auditor显示使用也就是为了要记录用户登录时候的IP操作,但是登录是由SSO跳转的。直接记录请求IP的话,会记录SSO server的IP,造成记录有误。所以使用了这个header的方式进行记录。根据不同的情况使用增加的不同header。
那么这种不加过滤或者是写法是有问题的。没有直接的限制是一个,其次,是无法获取真实客户的请求IP,会被造成地址伪造的情况。
那为什么,其他的header都不好用,仅有login-ip是有效的?
实在azure getway上做了限制了。这是云服务中很好的一个路子。只不过dev没有跟devops进行同步。
那么azure上这部分是怎么做的呢?什么原理?如何走的流程?
使用 Azure 应用程序网关重写 HTTP 标头 |Microsoft Azure 博客
-- rewrite HTTP headers in Azure Application Gateway.
Rewrite HTTP request and response headers in portal - Azure Application Gateway | Microsoft Learn
看了一下应该是在应用网关上删除了相关的header字段。这里还可以增加很多的安全header
整挺好~~~~估计是在这里进行了限制,但是没有限制自定义的header login-ip
然后继续深入一下:
Azure Front Door 中对 HTTP 标头的协议支持 |Microsoft学习
Azure Front DoorAzure Front Door 是一项基于云的服务,可更快、更可靠地交付应用程序。 它使用第 7 层负载均衡跨多个区域和终结点分配流量。 它还提供动态站点加速 (DSA),以优化 Web 性能和近乎实时的故障转移,从而确保高可用性。 Azure Front Door 是一项完全托管的服务,因此无需担心缩放或维护。
说白了就是Microsoft 的新式云内容分发网络(CDN)
Azure Front Door 包含传入请求的标头,除非由于限制而将其删除。Azure Front Door 还附加了以下标头:
| Header | Example and description |
| Via | Via: 1.1 Azure Front Door adds the client's HTTP version followed by Azure as the value for the Via header. This header indicates the client's HTTP version and that Front Door was an intermediate recipient for the request between the client and the backend. |
| X-Azure-ClientIP | X-Azure-ClientIP: 127.0.0.1 Represents the client IP address associated with the request being processed. For example, a request coming from a proxy might add the X-Forwarded-For header to indicate the IP address of the original caller. |
| X-Azure-SocketIP | X-Azure-SocketIP: 127.0.0.1 Represents the socket IP address associated with the TCP connection that the current request originated from. A request's client IP address might not be equal to its socket IP address because the client IP can be arbitrarily overwritten by a user. |
| X-Azure-Ref | X-Azure-Ref: 0zxV+XAAAAABKMMOjBv2NT4TY6SQVjC0zV1NURURHRTA2MTkANDM3YzgyY2QtMzYwYS00YTU0LTk0YzMtNWZmNzA3NjQ3Nzgz A unique reference string that identifies a request served by Azure Front Door. This string is used to search access logs and critical for troubleshooting. |
| X-Azure-RequestChain | X-Azure-RequestChain: hops=1 A header that Front Door uses to detect request loops, and users shouldn't take a dependency on it. |
| X-Azure-FDID | X-Azure-FDID: 55ce4ed1-4b06-4bf1-b40e-4638452104da A reference string that identifies the request came from a specific Front Door resource. The value can be seen in the Azure portal or retrieved using the management API. You can use this header in combination with IP ACLs to lock down your endpoint to only accept requests from a specific Front Door resource. See the FAQ for more detail |
| X-Forwarded-For | X-Forwarded-For: 127.0.0.1 The X-Forwarded-For (XFF) HTTP header field often identifies the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer. If there's an existing XFF header, then Front Door appends the client socket IP to it or adds the XFF header with the client socket IP. |
| X-Forwarded-Host | X-Forwarded-Host: contoso.azurefd.net The X-Forwarded-Host HTTP header field is a common method used to identify the original host requested by the client in the Host HTTP request header. This is because the host name from Azure Front Door might differ for the backend server handling the request. Any previous value is overridden by Azure Front Door. |
| X-Forwarded-Proto | X-Forwarded-Proto: http The X-Forwarded-Proto HTTP header field is often used to identify the originating protocol of an HTTP request. Front Door based on configuration might communicate with the backend by using HTTPS. This is true even if the request to the reverse proxy is HTTP. Any previous value will be overridden by Front Door. |
| X-FD-HealthProbe | X-FD-HealthProbe HTTP header field is used to identify the health probe from Front Door. If this header is set to 1, the request is from the health probe. It can be used to restrict access from Front Door with a particular value for the X-Forwarded-Host header field. |
也是一个记录的过程。在应用网关的地方,哪里存在错误。
回到code
publicstaticstringProcessingIP(string ipValue)
{
string ipstr = ipValue.ToString().Split(',').FirstOrDefault();
return ipstr !=null&& ipstr.Contains(':')? ipstr.Split(':').FirstOrDefault(): ipstr;
}首先,代码将输入的IP地址字符串使用逗号进行分割,并取得第一个分割后的子字符串,赋值给变量ipstr。这是为了处理可能存在多个IP地址的情况,只取第一个IP地址进行处理。
然后,代码判断ipstr是否为空且是否包含冒号。如果ipstr不为空且包含冒号,说明IP地址的格式是“IP地址:端口”,则将ipstr使用冒号进行分割,并取得分割后的第一个子字符串,再次赋值给ipstr。如果ipstr为空或不包含冒号,则ipstr保持不变。
为什么取第一个:这个是客户的IP,请求最开始从客户那边发过来,之后逐步传到server pod上进行记录。
这样,整体就通了。
这个loginip header可能记录很多的IP,都是有顺序的,依靠,进行分割,:后面表示端口。整体记录从客户到server pod之前,产品中流量转发的IP都是哪些。从而可以快速确定问题点。方便排查用的。
以上。
小扩展,当用户使用proxy的时候,是无法记录到客户的真实IP的,进能够记录到proxy的IP。这部分,从安全还是应用上,都可以不用考虑,安全上,是能够隐藏真实的IP,但是这个过程是在浏览器和IPS方进行的,与应用dev无关。可以从其他方面进行限制,例如使用HSTS等方式。从业务上,客户网络无法直接访问应用,需要通过代理的方式才能请求,那么为了保障服务的连续性,这种方式又是必须支持的。还是需要看组织/公司的业务目标了!
原文始发于微信公众号(wulala520):IP audit 记录
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论