概述入口WAF识别常见攻击与恶意机器人,Envoy限速在高峰与异常流量时保护后端。两者协同可提升边界防护与系统稳定性。关键实践与参数WAF规则: 启用CRS并按业务调优本地限速: tokens_per_fill 与 fill_interval 设置速率黑白名单: 基于IP或Header策略控制审计: 记录命中规则与限速事件示例/配置/实现# ModSecurity + CRS 示例
SecRuleEngine On
Include /usr/local/modsecurity/crs-setup.conf
Include /usr/local/modsecurity/rules/*.conf
SecRule REQUEST_HEADERS:User-Agent "@rx (curl|bot|scrapy|wget)" "id:100100,phase:1,deny,status:403,log"
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ingress-rl
namespace: istio-system
spec:
workloadSelector:
labels: { istio: ingressgateway }
configPatches:
- applyTo: HTTP_FILTER
match: { context: GATEWAY }
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.local_ratelimit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
stat_prefix: rl
token_bucket: { max_tokens: 100, tokens_per_fill: 100, fill_interval: 1s }
验证攻击拦截: 使用扫描UA与Payload触发WAF拒绝高并发限速: 超过速率阈值请求返回429且后端稳定名单策略: 黑名单拒绝、白名单放行准确审计可追溯: 日志记录规则ID与限速命中注意事项规则与限速需结合业务场景调优外层WAF与入口网关策略需协同在多副本网关下评估分布效果定期复盘拦截与误报
发表评论 取消回复