这是关于reCaptcha和GCA的另一个问题的后续问题。
我在以下设置中有GKE应用程序:
- front应用程序适用于
example.com - 后端应用程序在
api.example.com上工作
我通过Ingress暴露了这些负载,一切看起来都很酷。我想用Cloud Armor保护应用程序。我向api服务添加了注释。我可以确认,如果策略只有一条规则";拒绝所有IP";我无法到达后端端点,如果我将规则更改为"0";允许所有IP";我可以。所以GCA本身运行良好。
我试着连接reCaptcha Enterprise,并用谷歌云盔甲来解释它的分数,但我无法让它发挥作用。我创建了以下规则,但我添加的token.recaptcha.score值似乎根本无法解释。
我有以下3条规则:
- 优先级:500,表达式:"request.method=="选项">
- 优先级:1000,表达式:";token.recaptcha.score>0.1〃
- 优先级:2147483647,表达式:来自*的拒绝(403(
我可以看到OPTIONS通过:
{
"insertId": "1xxxr",
"jsonPayload": {
"@type": "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry",
"enforcedSecurityPolicy": {
"priority": 500,
"configuredAction": "ALLOW",
"outcome": "ACCEPT",
"name": "login-security-policy"
},
"statusDetails": "response_sent_by_backend"
},
"httpRequest": {
"requestMethod": "OPTIONS",
"requestUrl": "https://api.example.com/v1/graphs?pageSize=10&orderBy=created_at%20desc&key=AxxxE",
"requestSize": "97",
"status": 200,
"responseSize": "367",
"userAgent": "XXX",
"remoteIp": "XX.XX.XX.XX",
"referer": "https://example.com/",
"serverIp": "10.10.0.33",
"latency": "0.126041s"
},
"resource": {
"type": "http_load_balancer",
"labels": {
"project_id": "xxx",
"zone": "global",
"url_map_name": "k8s2-um-dxxxd-default-main-ixxxq",
"backend_service_name": "k8s-be-3xxx9--9xxx9",
"target_proxy_name": "k8s2-ts-dxxxd-default-main-ixxxq",
"forwarding_rule_name": "k8s2-fs-dxxxd-default-main-ixxxq"
}
},
"timestamp": "2021-12-21T18:28:42.103879Z",
"severity": "INFO",
"logName": "projects/xxx/logs/requests",
"trace": "projects/xxx/traces/3xxx2",
"receiveTimestamp": "2021-12-21T18:28:43.228371341Z",
"spanId": "5xxx0"
}
但GET没有:
{
"insertId": "1xxxr",
"jsonPayload": {
"statusDetails": "denied_by_security_policy",
"enforcedSecurityPolicy": {
"outcome": "DENY",
"configuredAction": "DENY",
"name": "login-security-policy",
"priority": 2147483647
},
"@type": "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry"
},
"httpRequest": {
"requestMethod": "GET",
"requestUrl": "https://api.example.com/v1/graphs?pageSize=10&orderBy=created_at%20desc&key=AxxxE",
"requestSize": "1291",
"status": 403,
"responseSize": "194",
"userAgent": "XXX",
"remoteIp": "XX.XX.XX.XX",
"referer": "https://example.com/",
"latency": "0.221476s"
},
"resource": {
"type": "http_load_balancer",
"labels": {
"project_id": "xxx",
"target_proxy_name": "k8s2-ts-dxxxd-default-main-ixxxq",
"forwarding_rule_name": "k8s2-fs-dxxxd-default-main-ixxxq",
"zone": "global",
"url_map_name": "k8s2-um-dxxxd-default-main-ixxxq",
"backend_service_name": "k8s-be-3xxx9--9xxx9"
}
},
"timestamp": "2021-12-21T18:28:42.254613Z",
"severity": "WARNING",
"logName": "projects/xxx/logs/requests",
"trace": "projects/xxx/traces/5xxx0",
"receiveTimestamp": "2021-12-21T18:28:43.228371341Z",
"spanId": "axxxb"
}
这也是从浏览器导出的GET请求:
curl 'https://api.example.com/v1/graphs?pageSize=10&orderBy=created_at%20desc&key=AxxxE'
-H 'authority: api.example.com'
-H 'pragma: no-cache'
-H 'cache-control: no-cache'
-H 'accept: application/json, text/plain, */*'
-H 'authorization: Bearer exxxw'
-H 'x-recaptcha-token: Axxxo'
-H 'user-agent: XXX'
-H 'origin: https://example.com'
-H 'sec-fetch-site: same-site'
-H 'sec-fetch-mode: cors'
-H 'sec-fetch-dest: empty'
-H 'referer: https://example.com/'
--compressed
reCAPTCHA WAF是reCAPTCHA企业拥有的一项新功能。它将reCAPTCHA放在边缘层,在到达应用程序服务器之前保护WAF(web应用程序防火墙(中的web应用程序。
repatcha-waf令牌不同于普通的repatcha-enterprise令牌。
确保reCAPTCHA waf令牌对Cloud Armor可见。如果您使用的是会话令牌情况,它将是cookie,应自动对Cloud Armor可见。如果您使用的是操作令牌,请确保令牌附加在请求标头处,请参阅操作令牌的集成指南。