Question

deny certain IP to access whole site
deny certain IP to log in

我写道,如果用户的IP正在数据库中,就会进行检查。对于第一个情况,我写了一位凯尔听器,对每一项请求进行核查,并在遇到被禁用户时扔下403条:

if (VoterInterface::ACCESS_DENIED === $this->voter->vote($token, $this, array())) {
    throw new AccessDeniedHttpException( Blacklisted, punk! );
}

First problem lies in VoterInterface itself, which forces me to use TokenInterface $token, which I don t really need in this case. But that doesn t matter that much I guess. Next thing is that I actually had to use AccessDeniedHttpException as AccessDeniedException always tries to redirect me to login page and causes endless redirect loop in this case. I d live with it as it works just fine in dev environment, but when I switch to prod I keep getting 503 with following in prod log:

[2011-11-21 20:54:04] security.INFO: Populated SecurityContext with an anonymous Token [] []

[2011-11-21 20:54:04] request.ERROR: SymfonyComponentHttpKernelExceptionAccessDeniedHttpException: Blacklisted, punk! (uncaught exception) at xxx line 28 [] []

[2011-11-21 20:54:04] request.ERROR: Exception thrown when handling an exception (SymfonyComponentHttpKernelExceptionAccessDeniedHttpException: Blacklisted, punk!) [] []

从我刚才看,它可能遇到 x问题,但甚至在我离开时就会出现问题。我也尝试了vanilla Exception,而且这样做也是一样的。没有人会想为什么会发生? 也可能是这种黑名单化案件的其他解决办法。

此外,我没有想如何解决第二起案件,因为我不知道如何在被指定之前停止使用。我目前的解决办法是:rel=“noreferer”>Interactive式LoginEvent ,检查用户是否被黑名单,如果是的话,则去除。这似乎是一种安全的做法,我不敢真正感到安慰。因此,如何解决这一问题的想法是什么? 我猜测Im略去掉一些明显的“原始事件”。

Answer 1

为了不让访问整个网站,你可以修改用来保护发展中国家环境的白色名单。附录三:

if (in_array(@$_SERVER[ REMOTE_ADDR ], array( 127.0.0.1 ,  1.2.3.4 ,))) {
    header( HTTP/1.0 403 Forbidden );
    exit( You are not allowed to access this site. );
}

Answer 2

For site-wide IP restrictions it s best to handle them at the apache level, so your app does not even get hit by the request. In case you are trying to keep out a spammer, this way you don t waste any resources on their sometimes automated requests. In your case, writing the deny rules to the .htaccess file would be appropriate. In larger setups you can also configure a firewall to block specific IPs so those requests don t even hit your server at all.

Answer 3

第一个问题是:filters in eventDispader ,因此,在主计长启动程序申请之前,你可以投掷AccessDeniedHttpException。

关于第二个问题——如果你使用 cus用户提供人您可在<代码>上检查被禁止的IP地址。用户检索。

namespace AcmeSecurityBundleEntity;
//… some namespaces
use SymfonyComponentHttpKernelExceptionAccessDeniedHttpException;

/**
 * UserRepository
 */
class UserRepository extends … implements …
{

    public function loadUserByUsername($username)
    {
        if ( $this->isBanned() ) {
            throw new AccessDeniedHttpException("You re banned!");
        }
        //… load user from DB
    }

    //… some other methods

    private function isBanned()
    {
        $q = $this->getEntityManager()->createQuery( SELECT b FROM AcmeSecurityBundle:BlackList b WHERE b.ip = :ip )
            ->setParameter( ip , @$_SERVER[ REMOTE_ADDR ])
            ->setMaxResults(1)
        ;
        $blackList = $q->getOneOrNullResult();

        //… check if is banned
    }

}

Answer 4

you also can use a firewall on the server, for example: http://www.shorewall.net/blacklisting_support.htm which blocks the given ips completly of the server.

to autogenerate such a blacklist file, look at the following example: http://www.justin.my/2010/08/generate-shorewall-blacklist-from-spamhaus-and-dshield/

Answer 5

https://github.com/SpomkyIpFilterBundle/a>。

Answer 6

It s not a best practice. Insight (analyse by Sensio) returns : "Using PHP response functions (like header() here) is discouraged, as it bypasses the Symfony event system. Use the HttpFoundationResponse class instead." and "$_SERVER super global should not be used."

<?php

use SymfonyComponentHttpFoundationRequest;
use SymfonyComponentHttpFoundationResponse;

$loader = require_once __DIR__. /../app/bootstrap.php.cache ;

require_once __DIR__. /../app/AppKernel.php ;


$request = Request::createFromGlobals();

$client_ip = $request->getClientIp();
$authorized_hosts = [ 127.0.0.1 ,  fe80::1 ,  ::1 ,  localhost ,  yourIpAddress ];

// Securisation
if (!in_array($client_ip, $authorized_hosts)) {
    $response = new Response(
        "Forbidden",
        Response::HTTP_FORBIDDEN,
        array( content-type  =>  text/html )
    );
    $response->send();
    exit();
}

$kernel = new AppKernel( prod , false);
$kernel->loadClassCache();
$response = $kernel->handle($request);
$response->send();
$kernel->terminate($request, $response);

它为SensioInsight ok

友情链接