对于我的应用程序,我正在使用安全的websockets,它工作正常。但我想保护它更多一点。
对于 websocket python 服务器,im 使用 websockets 库(在 asyncio 上(。 但是当我检查随 websockets.serve(( 发送的路径值时,我将始终获取套接字的路径,并且sent_ip始终是本地的。
如何更改我的配置,以便我可以阻止其他尝试连接的 IP
Server.py
import ssl
import asyncio
import logging
import websockets
import pathlib
logging.basicConfig()
STATE = {'value': 0}
USERS = set()
async def register(websocket):
USERS.add(websocket)
print("connection made!")
async def unregister(websocket):
USERS.remove(websocket)
async def update(websocket):
await websocket.send("Jobnumber: 1")
async def counter(websocket, path):
await register(websocket)
addr, seq = websocket.remote_address
print(addr) #ALWAYS localhost
print(path) #always the same path /server/sock (as configured in NGNIX)
try:
async for message in websocket:
print (message)
finally:
await unregister(websocket)
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
ssl_context.load_cert_chain(
pathlib.Path(__file__).with_name('privkey.pem'))
asyncio.get_event_loop().run_until_complete(
websockets.serve(counter, '', 8004, ssl=ssl_context))
asyncio.get_event_loop().run_forever()
嘟嘟:
服务器 {
root /var/www/html/;
index index.php index.html index.htm index.nginx-debian.html;
server_name [hidden];
location / {
try_files $uri $uri/ =404;
}
location /server/sock {
proxy_pass https://pythonserver;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/../fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/.../privkey.pem; # managed by
}
上游 pythonserver { 服务器本地主机:8004;
}
尝试将它用于 Nginx,因为您也在使用 websockets:
server {
listen 80 ;
server_name <url>;
large_client_header_buffers 8 32k;
if ($http_user_agent ~* Googlebot) {
return 403;
}
access_log /var/log/nginx/access.log;
location / {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE, PUT';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-Alive,Content-Type';
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://<url>:443;
proxy_read_timeout 90;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffers 8 32k;
proxy_buffer_size 64k;
}
}
server {
listen 443;
server_name abc.com;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
ssl on;
ssl_certificate /etc/nginx/ssl/ssl.crt;
ssl_certificate_key /etc/nginx/ssl/ssl.key;
location / {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE, PUT';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Keep-Alive';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
add_header 'Access-Control-Allow-Credentials' 'true';
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_next_upstream error;
proxy_pass http://pythonserver;
add_header X-Upstream $upstream_addr;
add_header Host $http_host;
proxy_read_timeout 90;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffers 8 32k;
proxy_buffer_size 64k;
}
}
在 2 个位置将 URL 更新为服务器名称。