How to create IP blacklist in Symfony2?

前端 未结 6 1239
刺人心
刺人心 2021-02-08 17:53

Yes, I know there\'s Voter tutorial in cookbook. But I\'m looking for something slightly different. I need two different layers of blacklisting:

  1. deny certain IP to
相关标签:
6条回答
  • 2021-02-08 18:09

    To the first problem – there are filters in EventDispatcher, so you can throw AccessDeniedHttpException before Controller start process request.

    To the second problem – if you use custom User Provider you can check for banned IP addresses in UserRepository.

    namespace Acme\SecurityBundle\Entity;
    //… some namespaces
    use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
    
    /**
     * UserRepository
     */
    class UserRepository extends … implements …
    {
    
        public function loadUserByUsername($username)
        {
            if ( $this->isBanned() ) {
                throw new AccessDeniedHttpException("You're banned!");
            }
            //… load user from DB
        }
    
        //… some other methods
    
        private function isBanned()
        {
            $q = $this->getEntityManager()->createQuery('SELECT b FROM AcmeSecurityBundle:BlackList b WHERE b.ip = :ip')
                ->setParameter('ip', @$_SERVER['REMOTE_ADDR'])
                ->setMaxResults(1)
            ;
            $blackList = $q->getOneOrNullResult();
    
            //… check if is banned
        }
    
    }
    
    0 讨论(0)
  • 2021-02-08 18:09

    It's not a best practice. Insight (analyse by Sensio) returns : "Using PHP response functions (like header() here) is discouraged, as it bypasses the Symfony event system. Use the HttpFoundationResponse class instead." and "$_SERVER super global should not be used."

    <?php
    
    use Symfony\Component\HttpFoundation\Request;
    use Symfony\Component\HttpFoundation\Response;
    
    $loader = require_once __DIR__.'/../app/bootstrap.php.cache';
    
    require_once __DIR__.'/../app/AppKernel.php';
    
    
    $request = Request::createFromGlobals();
    
    $client_ip = $request->getClientIp();
    $authorized_hosts = ['127.0.0.1', 'fe80::1', '::1', 'localhost', 'yourIpAddress'];
    
    // Securisation
    if (!in_array($client_ip, $authorized_hosts)) {
        $response = new Response(
            "Forbidden",
            Response::HTTP_FORBIDDEN,
            array('content-type' => 'text/html')
        );
        $response->send();
        exit();
    }
    
    $kernel = new AppKernel('prod', false);
    $kernel->loadClassCache();
    $response = $kernel->handle($request);
    $response->send();
    $kernel->terminate($request, $response);
    

    It's ok for SensioInsight

    0 讨论(0)
  • 2021-02-08 18:14

    you also can use a firewall on the server, for example: http://www.shorewall.net/blacklisting_support.htm which blocks the given ips completly of the server.

    to autogenerate such a blacklist file, look at the following example: http://www.justin.my/2010/08/generate-shorewall-blacklist-from-spamhaus-and-dshield/

    0 讨论(0)
  • 2021-02-08 18:24

    To deny access to the entire website, you can adapt the whitelist code used to secure the dev environment. Stick something like this in app.php:

    if (in_array(@$_SERVER['REMOTE_ADDR'], array('127.0.0.1', '1.2.3.4',))) {
        header('HTTP/1.0 403 Forbidden');
        exit('You are not allowed to access this site.');
    }
    
    0 讨论(0)
  • 2021-02-08 18:25

    You can easily block IP and range of IP using my bundle => https://github.com/Spomky-Labs/SpomkyIpFilterBundle

    0 讨论(0)
  • 2021-02-08 18:32

    For site-wide IP restrictions it's best to handle them at the apache level, so your app does not even get hit by the request. In case you are trying to keep out a spammer, this way you don't waste any resources on their sometimes automated requests. In your case, writing the deny rules to the .htaccess file would be appropriate. In larger setups you can also configure a firewall to block specific IPs so those requests don't even hit your server at all.

    0 讨论(0)
提交回复
热议问题