背景与价值多层代理导致来源IP判定复杂。可信代理链策略确保取到正确客户端IP并阻断伪造与私网来源。统一规范可信代理集合:仅对受控网段或域的代理作为可信。客户端IP判定:自左向右取第一个非可信代理IP;无效则回退 `remote_addr`。私网阻断:拒绝私网与环回来源用于敏感操作。核心实现解析与判定function ipv4ToInt(ip: string): number { const m = ip.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/); if (!m) return -1; const n = m.slice(1).map(Number); for (const x of n) if (x<0||x>255) return -1; return ((n[0]<<24)>>>0)+(n[1]<<16)+(n[2]<<8)+n[3] } function inCidr(ip: string, cidr: string): boolean { const [b,p] = cidr.split('/'); const base = ipv4ToInt(b); const mask = (~0 << (32-Number(p)))>>>0; const v = ipv4ToInt(ip); if (base<0||v<0) return false; return (v & mask) === (base & mask) } const privateCidrs = ['10.0.0.0/8','172.16.0.0/12','192.168.0.0/16','127.0.0.0/8','169.254.0.0/16'] const trustedCidrs = ['203.0.113.0/24'] function trusted(ip: string): boolean { for (const c of trustedCidrs) if (inCidr(ip, c)) return true; return false } type Req = { headers: Record<string, string | undefined>; remote_addr: string } function clientIp(req: Req): string { const xff = (req.headers['x-forwarded-for'] || '').split(',').map(s => s.trim()).filter(Boolean) for (const ip of xff) { if (!trusted(ip)) return ip } return req.remote_addr } function allowedSource(ip: string): boolean { for (const c of privateCidrs) if (inCidr(ip, c)) return false; return ipv4ToInt(ip) >= 0 } 落地建议明确可信代理网段或清单,统一来源解析与判定规则。对敏感操作拒绝私网或无效来源,并进行审计与告警。验证清单客户端IP是否按可信代理链判定;私网与环回是否被阻断。
投稿
微信公众账号
微信扫一扫加关注
评论 返回
顶部
发表评论 取消回复