laravel ip_使用IP智能保护Laravel站点

最新推荐文章于 2024-05-12 09:49:39 发布

culiu9261

最新推荐文章于 2024-05-12 09:49:39 发布

阅读量413

点赞数

文章标签：中间件网络 java python php

原文链接：https://scotch.io/tutorials/protecting-laravel-sites-with-ip-intelligence

版权

laravel ip

From the moment you publish a website, you need to be wary of security. From hackers to script-kiddies, you can’t always be sure of where the next attack could come from.

从发布网站的那一刻起，您需要警惕安全性。从黑客到脚本骗子，您始终无法确定下一次攻击的来源。

So, as developers, we are always on the prowl for the next best thing when it comes to protecting our website(s).

因此，作为开发人员，在保护我们的网站方面，我们总是竭尽所能。

In this article, we will cover a simple way of how we can use IP intelligence to detect unwanted connections and protect against insecure requests.

在本文中，我们将介绍一种简单的方法，说明如何使用IP智能来检测不需要的连接并防止不安全的请求。

什么是IP智能 ( What is IP Intelligence )

When most people hear IP intelligence, the thing that comes to mind is “locating users from their IP address”. But, it doesn’t stop there, IP intelligence can be used to accomplish many things:

当大多数人听到IP智能时，想到的就是“从其IP地址定位用户”。但是，这还不止于此，IP智能可以用来完成许多事情：

Content personalization.
内容个性化。
Currency detection.
货币检测。
Fraud prevention.
预防诈骗。
Time Zone lookup.
时区查询。
Language redirection.
语言重定向。

The list above is just a handful of things that can be achieved using IP intelligence.

上面的列表只是使用IP智能可以实现的一些事情。

Building a service that can do all the things listed above can take a lot of time and resources. So, instead of building and managing such a service, that’s what the sponsor IPAPI of this article does.

构建可以完成上面列出的所有功能的服务可能会花费大量时间和资源。因此，本文的发起者IPAPI就是在构建和管理这样的服务，而不是在这样做。

入门 ( Getting Started )

Our firewall will be built as a middleware for our application, meaning a request coming into our app will pass through this “filter” and reject suspected bad actors.

我们的防火墙将作为应用程序的中间件构建，这意味着进入我们的应用程序的请求将通过此“过滤器”并拒绝可疑的不良行为者。

For demonstrating how we could build a simple middleware to protect our apps, we will be creating a Laravel project. Note, the same can be done in any programming language of choice

为了演示如何构建简单的中间件来保护我们的应用程序，我们将创建一个Laravel项目。 注意，可以在任何选择的编程语言中完成相同的操作

composer create-project laravel/laravel firewall --prefer-dist

So, head over to IPAPI and create an account. After that, you’ll see a secret key that has a similar structure to 86ebc30b4adfc508e48bf1b489140fe3. Grab whatever your own is and add it to your `.env` file.

因此，转到IPAPI并创建一个帐户。之后，您将看到一个与86ebc30b4adfc508e48bf1b489140fe3具有相似结构的秘密密钥。随便抓什么，然后将其添加到您的.env文件中。

IPAPI_ACCESS_KEY=86ebc30b4adfc508e48bf1b489140fe3

After that open config/services.php and add the following array value.

之后，打开config/services.php并添加以下数组值。

'ip' => [
    'key' => env('IPAPI_ACCESS_KEY'),
],

The last thing to do is to install GuzzleHttp which will be used to make a request to IPAPI’s server.

最后要做的是安装GuzzleHttp ，它将用于向IPAPI的服务器发出请求。

composer require guzzlehttp/guzzle

After that, we can then build our middleware.

之后，我们可以构建中间件。

向IPAPI的服务器发出请求 ( Making a Request to IPAPI’s Server )

So, IPAPI offers two endpoints for us to use.

因此，IPAPI提供了两个端点供我们使用。

api.ipapi.com/api/<ip> where we provide the IP we want to check.
api.ipapi.com/api/<ip> ，其中提供了我们要检查的IP。
api.ipapi.com/check will guess the incoming IP address and give a response (good for requests coming from the browser.
api.ipapi.com/check将猜测传入的IP地址并给出响应（对于来自浏览器的请求很有用。

We are most interested in the first one because using the second one will retrieve the IP of our server instead of the incoming request. So, using the first one, we can capture the user’s IP and forward it to IPAPI.

我们对第一个服务器最感兴趣，因为使用第二个服务器将检索服务器的IP而不是传入请求。因此，使用第一个，我们可以捕获用户的IP并将其转发到IPAPI。

After we create a request like:

创建请求后，如下所示：

GET https://api.ipapi.com/api/161.185.160.93?access_key=86ebc30b4adfc508e48bf1b489140fe3

The response will look something like this

响应将如下所示

{
    "ip": "161.185.160.93",
    "hostname": "161.185.160.93",
    "type": "ipv4",
    "continent_code": "NA",
    "continent_name": "North America",
    "country_code": "US",
    "country_name": "United States",
    "region_code": "NY",
    "region_name": "New York",
    "city": "Brooklyn",
    "zip": "11238",
    "latitude": 40.676,
    "longitude": -73.9629,
    "location": {
        "geoname_id": 5110302,
        "capital": "Washington D.C.",
        "languages": [
            {
                "code": "en",
                "name": "English",
                "native": "English"
            }
        ],
        "country_flag": "http://assets.ipapi.com/flags/us.svg",
        "country_flag_emoji": "🇺🇸",
        "country_flag_emoji_unicode": "U+1F1FA U+1F1F8",
        "calling_code": "1",
        "is_eu": false
    },
    "time_zone": {
        "id": "America/New_York",
        "current_time": "2018-09-24T05:07:10-04:00",
        "gmt_offset": -14400,
        "code": "EDT",
        "is_daylight_saving": true
    },
    "currency": {
        "code": "USD",
        "name": "US Dollar",
        "plural": "US dollars",
        "symbol": "$",
        "symbol_native": "$"
    },
    "connection": {
        "asn": 22252,
        "isp": "The City of New York"
    },
    "security": {
        "is_proxy": false,
        "proxy_type": null,
        "is_crawler": false,
        "crawler_name": null,
        "crawler_type": null,
        "is_tor": false,
        "threat_level": "low",
        "threat_types": null
    }
}

We can see that IPAPI does a lot of work for us. For this, however, for this article, we are interested in the “security” part of the response.

我们可以看到IPAPI为我们做了很多工作。为此，对于本文，我们对响应的“安全性”部分感兴趣。

..."security": {
        "is_proxy": false,
        "proxy_type": null,
        "is_crawler": false,
        "crawler_name": null,
        "crawler_type": null,
        "is_tor": false,
        "threat_level": "low",
        "threat_types": null
    } ...

Taking a closer look at the security portion, we can see that IPAPI does a lot of checks for us. From giving the response a security rating, to checking if the incoming request is from the TOR network. It even tells us if a crawler is making the incoming request.

仔细研究安全性部分，我们可以看到IPAPI为我们做了很多检查。从给响应提供安全等级，到检查传入请求是否来自TOR网络。它甚至告诉我们爬虫是否正在发出传入请求。

创建我们的中间件 ( Creating Our Middleware )

Middlewares are mechanisms that sit in-between an incoming request and your app. Scotch has a short intro to Laravel middlewares.

中间件是位于传入请求和您的应用之间的机制。 Scotch简要介绍了Laravel中间件。

Now, we’ll move into the root of our project and run

现在，我们将进入项目的根目录并运行

php artisan make:middleware IPFirewall

After we’ve created the middleware, we can find it in app/Http/Middlewares/IPFirewall.php you will see something similar to;

创建了中间件之后，我们可以在app/Http/Middlewares/IPFirewall.php找到它。

<?php

namespace App\Http\Middleware;

use Closure;

class IPFirewall
{
  /**
   * Handle an incoming request.
   *
   * @param  \Illuminate\Http\Request  $request
   * @param  \Closure  $next
   * @return mixed
   */
  public function handle($request, Closure $next)
  {
    return $next($request);
  }
}

So, to protect our server, we can do this:

因此，为了保护我们的服务器，我们可以这样做：

public function handle($request, Closure $next)
{
    $ip = $request->ip();

    $key = config('services.ip.key');
    $url = "http://api.ipapi.com/api/{$ip}?access_key={$key}&security=1";

    // make request
    $client = new Client;
    $response = $client->request('GET', $url);
    $data = json_decode((string) $response->getBody(), true);

    if (!array_key_exists('security', $data)) {
        return false;
    }

    return $data['security']['threat_level'] === 'high' ? abort(403) : $next($request);
}

From the request above:

根据以上要求：

We first get the incoming IP address of the user
我们首先获得用户的传入IP地址
Then we build our request to send to IPAPI,
然后，我们构建请求以发送到IPAPI，
When we get a response from IPAPI, we check if the security response exists
从IPAPI收到响应时，我们会检查安全响应是否存在
Then if the request threat level is high, we want to restrict user access.
然后，如果请求威胁级别很高，我们想限制用户访问。

提升绩效 ( Improving for Performance )

The above solution is not the best implementation we have. Because this means that the request is going to slow down for every incoming request.

上面的解决方案不是我们拥有的最佳实现。因为这意味着对于每个传入请求，该请求都将减慢速度。

Because Laravel has a cache layer, we can use that to our advantage by doing

由于Laravel有一个缓存层，因此我们可以通过以下方式利用它

public function handle($request, Closure $next)
{
    $ip = $request->ip();
    $insecureRequest = Cache::remember("firewall_$ip", function() use ($ip) {
        // build parameters
        $key = config('services.ip.key');
        $url = "http://api.ipapi.com/api/{$ip}?access_key={$key}&security=1";
        // make request
        $client = new Client;
        $response = $client->request('GET', $url);
        $data = json_decode((string) $response->getBody(), true);
        if (!array_key_exists('security', $data)) {
            return false;
        }
        return $data['security']['threat_level'] === 'high' ?? false;
    });
    return $insecureRequest ? abort(403) : $next($request);
}

Calling Cache::remember() will tell Laravel to fetch a value from the cache, if it doesn’t exist, it’ll run the closure and return the value from the closure to the cache.

调用Cache::remember()会告诉Laravel从缓存中获取一个值，如果该值不存在，它将运行闭包并将该闭包中的值返回到缓存中。

Using the IP address as the unique key, Laravel will first try to fetch the IP’s threat status. If it the request is considered an insecure request, Laravel aborts. Otherwise, the request is allowed through, and we only need to perform the check every once in a while.

使用IP地址作为唯一密钥，Laravel将首先尝试获取IP的威胁状态。如果该请求被认为是不安全的请求，则Laravel中止。否则，将允许该请求通过，并且我们仅需要偶尔执行一次检查。

结论 ( Conclusion )

IPAPI is a great service used many companies, give them a shot and improve your application security.

IPAPI是许多公司使用的一项出色服务，可以帮助他们改善应用程序的安全性。

翻译自: https://scotch.io/tutorials/protecting-laravel-sites-with-ip-intelligence

laravel ip

culiu9261

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
laravel ip_使用IP智能保护Laravel站点

laravel ipFrom the moment you publish a website, you need to be wary of security. From hackers to script-kiddies, you can’t always be sure of where the next attack could come from. 从发布网站的那一刻起，您需要警惕安全...
复制链接

扫一扫