How to create IP blacklist in Symfony2?

Question

Yes, I know there\'s Voter tutorial in cookbook. But I\'m looking for something slightly different. I need two different layers of blacklisting:

1. deny certain IP to

Answer 1

To the first problem – there are filters in EventDispatcher, so you can throw AccessDeniedHttpException before Controller start process request.

To the second problem – if you use custom User Provider you can check for banned IP addresses in UserRepository.

namespace Acme\SecurityBundle\Entity;
//… some namespaces
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;

/**
 * UserRepository
 */
class UserRepository extends … implements …
{

    public function loadUserByUsername($username)
    {
        if ( $this->isBanned() ) {
            throw new AccessDeniedHttpException("You're banned!");
        }
        //… load user from DB
    }

    //… some other methods

    private function isBanned()
    {
        $q = $this->getEntityManager()->createQuery('SELECT b FROM AcmeSecurityBundle:BlackList b WHERE b.ip = :ip')
            ->setParameter('ip', @$_SERVER['REMOTE_ADDR'])
            ->setMaxResults(1)
        ;
        $blackList = $q->getOneOrNullResult();

        //… check if is banned
    }

}

Answer 2

It's not a best practice. Insight (analyse by Sensio) returns : "Using PHP response functions (like header() here) is discouraged, as it bypasses the Symfony event system. Use the HttpFoundationResponse class instead." and "$_SERVER super global should not be used."

<?php

use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;

$loader = require_once __DIR__.'/../app/bootstrap.php.cache';

require_once __DIR__.'/../app/AppKernel.php';


$request = Request::createFromGlobals();

$client_ip = $request->getClientIp();
$authorized_hosts = ['127.0.0.1', 'fe80::1', '::1', 'localhost', 'yourIpAddress'];

// Securisation
if (!in_array($client_ip, $authorized_hosts)) {
    $response = new Response(
        "Forbidden",
        Response::HTTP_FORBIDDEN,
        array('content-type' => 'text/html')
    );
    $response->send();
    exit();
}

$kernel = new AppKernel('prod', false);
$kernel->loadClassCache();
$response = $kernel->handle($request);
$response->send();
$kernel->terminate($request, $response);

It's ok for SensioInsight

Answer 3

you also can use a firewall on the server, for example: http://www.shorewall.net/blacklisting_support.htm which blocks the given ips completly of the server.

to autogenerate such a blacklist file, look at the following example: http://www.justin.my/2010/08/generate-shorewall-blacklist-from-spamhaus-and-dshield/

Answer 4

To deny access to the entire website, you can adapt the whitelist code used to secure the dev environment. Stick something like this in app.php:

if (in_array(@$_SERVER['REMOTE_ADDR'], array('127.0.0.1', '1.2.3.4',))) {
    header('HTTP/1.0 403 Forbidden');
    exit('You are not allowed to access this site.');
}

Answer 5

You can easily block IP and range of IP using my bundle => https://github.com/Spomky-Labs/SpomkyIpFilterBundle

Answer 6

For site-wide IP restrictions it's best to handle them at the apache level, so your app does not even get hit by the request. In case you are trying to keep out a spammer, this way you don't waste any resources on their sometimes automated requests. In your case, writing the deny rules to the .htaccess file would be appropriate. In larger setups you can also configure a firewall to block specific IPs so those requests don't even hit your server at all.