Apache ProxyPass 仅允许来自 Pingdom IPv4 地址
Apache ProxyPass Allow only from Pingdom IPv4 addresses
我有一个带有 ProxyPass / ProxyPassReverse 的 apache2 vHost 配置,需要限制对某些静态 IP 地址和所有 Pingdom IP 地址的访问。
Pingdom IP地址列表是一个文件列表,每行一个IP地址:
5.172.196.188
5.178.78.77
13.232.220.164
23.22.2.46
23.83.129.219
23.111.152.74
.
.
.
完整的 IP 地址列表可以在 https://my.pingdom.com/probes/ipv4 找到。
我已经下载了 Pingdom IP 地址列表,因为我没有找到任何直接从他们的网站读取列表的解决方案。
只要我没有配置 Allow from env=PINGDOM,Allow/Deny 就会按预期工作。一旦我添加了前面提到的配置行,所有客户端 IP 地址都能够访问该站点。
<VirtualHost *:443>
ServerAdmin contact@example.com
ServerName site.example.com
RewriteEngine on
RewriteMap allowed "txt:/var/www/pingdom_ip_addresses"
UnsetEnv PINGDOM
RewriteCond ${allowed:%{REMOTE_ADDR}} ""
RewriteRule ^ - [E=PINGDOM]
<Proxy *>
Order Deny,Allow
Deny from all
# Static IPs
Allow from 1.2.3.10/32
Allow from 1.2.3.20/32
# Pingdom
Allow from env=PINGDOM
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:8080/example-site/
ProxyPassReverse / http://localhost:8080/example-site/
SSLEngine ON
SSLCertificateFile /etc/letsencrypt/live/site.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/site.example.com/privkey.pem
</VirtualHost>
在这里找到了类似的解决方案:
但是,IP 地址列表文件确实在每个 IP 地址旁边都有一个 1。 Pingdom列表没有这个。
我的规则需要如何才能按预期工作?
我找到了可行的解决方案。
我配置了以下 cronjob 以每小时获取当前 Pingdom 探测 IPv4 列表:
PATH=/usr/local/bin:/usr/bin:/bin
0 * * * * www-data wget -t 1 -T 1 https://my.pingdom.com/probes/ipv4 -q -O - | sed -e 's/$/ 1/' > /var/www/pingdom_ip_addresses
Apache vHost 配置现在如下所示:
<VirtualHost *:443>
ServerAdmin contact@example.com
ServerName site.example.com
RewriteEngine on
UnsetEnv PINGDOM
RewriteMap allowed "txt:/var/www/pingdom_ip_addresses"
RewriteCond ${allowed:%{REMOTE_ADDR}} 1
RewriteRule ^ - [E=PINGDOM]
<Proxy *>
Order Deny,Allow
Deny from all
# Static IPs
Allow from 1.2.3.10/32
Allow from 1.2.3.20/32
# Pingdom
Allow from env=PINGDOM
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:8080/example-site/
ProxyPassReverse / http://localhost:8080/example-site/
SSLEngine ON
SSLCertificateFile /etc/letsencrypt/live/site.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/site.example.com/privkey.pem
</VirtualHost>
我有一个带有 ProxyPass / ProxyPassReverse 的 apache2 vHost 配置,需要限制对某些静态 IP 地址和所有 Pingdom IP 地址的访问。
Pingdom IP地址列表是一个文件列表,每行一个IP地址:
5.172.196.188
5.178.78.77
13.232.220.164
23.22.2.46
23.83.129.219
23.111.152.74
.
.
.
完整的 IP 地址列表可以在 https://my.pingdom.com/probes/ipv4 找到。
我已经下载了 Pingdom IP 地址列表,因为我没有找到任何直接从他们的网站读取列表的解决方案。
只要我没有配置Allow from env=PINGDOM,Allow/Deny 就会按预期工作。一旦我添加了前面提到的配置行,所有客户端 IP 地址都能够访问该站点。
<VirtualHost *:443>
ServerAdmin contact@example.com
ServerName site.example.com
RewriteEngine on
RewriteMap allowed "txt:/var/www/pingdom_ip_addresses"
UnsetEnv PINGDOM
RewriteCond ${allowed:%{REMOTE_ADDR}} ""
RewriteRule ^ - [E=PINGDOM]
<Proxy *>
Order Deny,Allow
Deny from all
# Static IPs
Allow from 1.2.3.10/32
Allow from 1.2.3.20/32
# Pingdom
Allow from env=PINGDOM
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:8080/example-site/
ProxyPassReverse / http://localhost:8080/example-site/
SSLEngine ON
SSLCertificateFile /etc/letsencrypt/live/site.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/site.example.com/privkey.pem
</VirtualHost>
在这里找到了类似的解决方案:
但是,IP 地址列表文件确实在每个 IP 地址旁边都有一个 1。 Pingdom列表没有这个。
我的规则需要如何才能按预期工作?
我找到了可行的解决方案。
我配置了以下 cronjob 以每小时获取当前 Pingdom 探测 IPv4 列表:
PATH=/usr/local/bin:/usr/bin:/bin
0 * * * * www-data wget -t 1 -T 1 https://my.pingdom.com/probes/ipv4 -q -O - | sed -e 's/$/ 1/' > /var/www/pingdom_ip_addresses
Apache vHost 配置现在如下所示:
<VirtualHost *:443>
ServerAdmin contact@example.com
ServerName site.example.com
RewriteEngine on
UnsetEnv PINGDOM
RewriteMap allowed "txt:/var/www/pingdom_ip_addresses"
RewriteCond ${allowed:%{REMOTE_ADDR}} 1
RewriteRule ^ - [E=PINGDOM]
<Proxy *>
Order Deny,Allow
Deny from all
# Static IPs
Allow from 1.2.3.10/32
Allow from 1.2.3.20/32
# Pingdom
Allow from env=PINGDOM
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:8080/example-site/
ProxyPassReverse / http://localhost:8080/example-site/
SSLEngine ON
SSLCertificateFile /etc/letsencrypt/live/site.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/site.example.com/privkey.pem
</VirtualHost>