概述入口WAF识别常见攻击与恶意机器人,Envoy限速在高峰与异常流量时保护后端。两者协同可提升边界防护与系统稳定性。关键实践与参数WAF规则: 启用CRS并按业务调优本地限速: `tokens_per_fill` 与 `fill_interval` 设置速率黑白名单: 基于IP或Header策略控制审计: 记录命中规则与限速事件示例/配置/实现# ModSecurity + CRS 示例 SecRuleEngine On Include /usr/local/modsecurity/crs-setup.conf Include /usr/local/modsecurity/rules/*.conf SecRule REQUEST_HEADERS:User-Agent "@rx (curl|bot|scrapy|wget)" "id:100100,phase:1,deny,status:403,log" # Istio EnvoyFilter 本地限速 apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: ingress-rl namespace: istio-system spec: workloadSelector: labels: { istio: ingressgateway } configPatches: - applyTo: HTTP_FILTER match: { context: GATEWAY } patch: operation: INSERT_BEFORE value: name: envoy.filters.http.local_ratelimit typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit stat_prefix: rl token_bucket: { max_tokens: 100, tokens_per_fill: 100, fill_interval: 1s } 验证攻击拦截: 使用扫描UA与Payload触发WAF拒绝高并发限速: 超过速率阈值请求返回429且后端稳定名单策略: 黑名单拒绝、白名单放行准确审计可追溯: 日志记录规则ID与限速命中注意事项规则与限速需结合业务场景调优外层WAF与入口网关策略需协同在多副本网关下评估分布效果定期复盘拦截与误报
投稿
微信公众账号
微信扫一扫加关注
评论 返回
顶部
发表评论 取消回复