ip白名单策略原理

[yydance]

问题描述：
apisix位于LB或者nginx后，使用IP白名单限制访问路由，结果未生效，大概看了下插件的源码，似乎是匹配的remote_addr，不知道是否正确？因为我不是研发，lua以前学过一点语法很久没看了。如果取自remote_addr，似乎不是太合适，是基于什么考虑不取x-real-ip，尽管x-real-ip可能不存在，但是我们可以默认赋值remote_addr。

[tzssangglass]

The default is to use X-Real-IP in headers as remote_addr, ref:

apisix/conf/config-default.yaml

Line 200 in c201d72

real_ip_header: X-Real-IP # http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header

verify:

route:

curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "uri": "/hello",
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "127.0.0.1:1980": 1
        }
    },
    "plugins": {
        "ip-restriction": {
            "whitelist": [
                "127.0.0.1"
            ]
        }
    }
}'

send request from 127.0.0.1

curl http://127.0.0.1:9080/hello                                                                       '
1234567890#

send request from 127.0.0.1 and with wrong X-Real-IP, ip-restriction works well

curl http://127.0.0.1:9080/hello -H "X-Real-IP: 192.168.0.1"
{"message":"Your IP address is not allowed"}

[tzssangglass]

which APISIX get the $remote_addr maybe 10.8.112.69(maybe your Nginx's or LB's IP), and you have "10.0.0.0/8" in whitelist

[yydance]

您这条回复是否表明白名单match的是$remote_addr

[yydance]

你把示例中请求地址http://127.0.0.1:9080/hello 换成http://{eth0_ip}:9080/hello -H 'X-Real-IP: 127.0.0.1' 就过不去了

[tzssangglass]

then we need use real-ip plugin, for example, my eth0_ip is 10.211.55.4

curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "uri": "/hello",
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "127.0.0.1:1980": 1
        }
    },
    "plugins": {
        "ip-restriction": {
            "whitelist": [
                "127.0.0.1"
            ]
        },
        "real-ip": {
            "source": "http_x_real_ip",
            "trusted_addresses": ["10.211.55.4"]
        }
    }
}'

and test

curl http://10.211.55.4:9080/hello -H "X-Real-IP: 127.0.0.1"

this work for me

[tzssangglass]

if you don't want use real-ip plugin, you can add

nginx_config: 
  http:
    real_ip_from:
      - ${eth0_ip}

[yydance]

另一个示例
1、白名单

{
  "disable": false,
  "whitelist": [
    "127.0.0.1"
  ]
}

2、请求

curl -H 'host:prom.camin.vip' -H 'X-Real-IP: 127.0.0.1'  http://10.0.2.137:61160
{"message":"Your IP address is not allowed"}

3、打印的日志

[12/Oct/2022:12:12:36 +0800] 127.0.0.1 10.0.13.111 - GET 403 56 - HTTP/1.1 "http://prom.camin.vip" "/" "-" "curl/7.29.0" "-" 0.000 - - "http://prom.camin.vip" - -

[yydance]

当我白名单加了IP 10.0.13.111之后就可以访问了

[tzssangglass]

which APISIX gets the $remote_addr maybe 10.0.13.111(maybe your Nginx's or LB's IP).

[yydance]

10.0.13.111 是发起curl请求的客户端IP

[yydance]

@tzssangglass 还请百忙之中抽点时间解疑，谢谢。

[tzssangglass]

read more: #4793

[yydance]

我知道如何获取X-Real-IP。这里综上的例子，看起来IP白名单whitelist策略match的是$remote_addr，而不是取X-Real-IP 的值 @tzssangglass

[tokers]

Which Apache APISIX version are you using?

[yydance]

apisix: 2.15
apisix-dashboard: 2.13

[tzssangglass]

我知道如何获取X-Real-IP。这里综上的例子，看起来IP白名单whitelist策略match的是$remote_addr，而不是取X-Real-IP 的值

But I gave example proves that the remote_addr gets the lower X-Real-IP?

[yydance]

我觉得remote_addr不应该使用x-real-ip赋值，应该是x-real-ip不存在的情况下使用remote_addr赋值，whitelist match的IP应该取自x-real-ip

[tzssangglass]

You should be concerned about getting your front-end Nginx or LB to carry real client IP to APISIX

[yydance]

前边的日志格式和日志内容表明 real client ip 是正确的，源代码init.lua里也没看到有关real ip：

function _M.restrict(conf, ctx)
    local block = false
    local remote_addr = ctx.var.remote_addr

    if conf.blacklist then
        local matcher = lrucache(conf.blacklist, nil,
                                 core.ip.create_ip_matcher, conf.blacklist)
        if matcher then
            block = matcher:match(remote_addr)
        end
    end

    if conf.whitelist then
        local matcher = lrucache(conf.whitelist, nil,
                                 core.ip.create_ip_matcher, conf.whitelist)
        if matcher then
            block = not matcher:match(remote_addr)
        end
    end

    if block then
        return 403, { message = conf.message }
    end
end

[yydance]

综合上述的信息，看起来IP白名单插件使用的是$remote_addr match whitelist，然而给的示例似乎是将x-real-ip赋值给了$remote_addr，如果属实，这个逻辑是不对的，白名单IP应该使用x-real-ip match whitelist，当x-real-ip值为空时，默认赋值$remote_addr，$remote_addr获取的IP应该始终是request client ip，不应该被更改。

[yydance]

在案例 #8071 (comment) 里没有经过任何代理，直接访问的apisix，结果与您给的示例是相反的，稍后我也将启用real-ip插件进行测试。

[tzssangglass]

在案例 #8071 (comment) 里没有经过任何代理，直接访问的apisix，结果与您给的示例是相反的，稍后我也将启用real-ip插件进行测试。

I can't reproduce it, I think you need to explore it in your environment.

[yydance]

real ip插件也是不行。
环境：
docker-compose部署，来自官方git仓库，所有操作均在dashboard，real_ip_header: X-Real-IP，使用curl 发起请求，从日志看，whitelist 匹配的是$remote_addr的值
我觉得，让其他人试下，看是否有问题

[tzssangglass]

BTW, I didn't deploy with docker-compose. I tested it directly on the host computer.

[tzssangglass]

Deployed with docker-compose, APISIX runs inside docker and traffic requesting APISIX on the host will come in from the docker's NIC.

[yydance]

刚从官方git仓库拉了个最新版，dashboard 2.13, apisix 2.99 ，什么都没更改，请求没经过任何代理，结果仍然是不行，whitelist中匹配到remote_addr才可行，不清楚您给的示例是什么配置

[tzssangglass]

不清楚您给的示例是什么配置

My example already gives the configuration.

[tzssangglass]

I think you should focus your question on understanding how APISIX gets the real client IP. Refer to the link I gave above.

Again, it makes sense for the ip-restriction plugin to use the $remote_addr variable to get the real client IP.

[yydance]

宿主机请求访问，经过多种测试，只有请求http://127.0.0.1:9080/的形式，remote_addr会被替换成X-Real-IP的值(如果存在)

[tzssangglass]

宿主机请求访问，经过多种测试，只有请求http://127.0.0.1:9080/的形式，remote_addr会被替换成X-Real-IP的值(如果存在)

I think you still don't understand the logic of how the real-ip module works in Nginx

[yydance]

你是对的，整清楚了，非常感谢 @tzssangglass