IP whitelist restrictions on actuator management endpoints (Springboot add filter)

Source: Internet
Author: User

In our Springcloud application, we will introduce actuator to manage and monitor our applications.

Common ones are: http://www.cnblogs.com/yangzhilong/p/8378152.html

If you turn on

Endpoints.restart.enabled=true

There will be pause, restart and other endpoints.

For shutdown, pause, restart and other sensitive instructions we need to do some protection. Of course, actuator also takes this into account, with the Enable, sensitive, and security checks on some sensitive endpoints.

For ease of use, we are usually configured as follows:

#Disabling actuator management-side authenticationManagement.security.enabled=false#Enable shutdown Host:port/shutdownEndpoints.shutdown. enabled=true#Disabling password verificationEndpoints.shutdown. sensitive=false#Turn on restart supportEndpoints.restart.enabled=true#IP Whitelist addresses for shutdown, pause, restart, etc.shutdown. whitelist=0:0:0:0:0:0:0:1,127.0.0.1,172.16.,10.18.

The main reasons for this are: 1, easy to use 2, easy to integrate into a variety of monitoring set up.

Note: Many online are said to open management authentication, similar to the following (this program will affect the use of third-party monitoring, not recommended use):

Security.user.name=Adminsecurity.user.password=adminsecurity.user.role=  SUPERUSERmanagement.security.roles=superuser

If, however, this security's delivery will cause anyone to directly post requests for these interfaces, the following filter scheme is based on the IP Whitelist:

Shutdownfilter.java

 PackageCom.mili.crm.eureka.filter;Importjava.io.IOException;ImportJava.io.PrintWriter;Importjava.util.Arrays;Importjava.util.List;ImportJavax.servlet.Filter;ImportJavax.servlet.FilterChain;ImportJavax.servlet.FilterConfig;Importjavax.servlet.ServletException;Importjavax.servlet.ServletRequest;ImportJavax.servlet.ServletResponse;ImportJavax.servlet.annotation.WebFilter;Importjavax.servlet.http.HttpServletRequest;ImportOrg.springframework.beans.factory.annotation.Value;ImportOrg.springframework.cloud.context.config.annotation.RefreshScope;Importlombok.extern.slf4j.Slf4j;/*** IP Whitelist filtering for shutdown and pause management endpoints *@authorYangzhilong **/@WebFilter (FilterName= "Shutdownfilter", urlpatterns= {"/shutdown", "/pause", "/restart"}) @Slf4j @refreshscope Public classShutdownfilterImplementsFilter {@Value ("${shutdown.whitelist:0:0:0:0:0:0:0:1}")    Privatestring[] shutdownipwhitelist; @Override Public voiddestroy () {} @Override Public voidDoFilter (ServletRequest srequest, Servletresponse sresponse, Filterchain filterchain)throwsIOException, servletexception {httpservletrequest request=(httpservletrequest) srequest; String IP= This. getipaddress (Request); Log.info ("The original ip:{of the machine that accessed shutdown", IP); if(!ismatchwhitelist (IP)) {Sresponse.setcontenttype ("Application/json"); Sresponse.setcharacterencoding ("UTF-8"); PrintWriter writer=Sresponse.getwriter (); Writer.write ("{\" code\ ": 401}");            Writer.flush ();            Writer.close (); return;    } filterchain.dofilter (Srequest, sresponse); } @Override Public voidInit (Filterconfig arg0)throwsservletexception {log.info ("Shutdown filter is init ..."); }        /*** Match is white list *@paramIP *@return     */    Private Booleanismatchwhitelist (String IP) {List<String> list =arrays.aslist (shutdownipwhitelist); if(List.contains (IP)) {return true; }        returnList.stream (). AnyMatch (Data-ip.startswith (data)); }        /*** Obtain the user real IP address, do not use REQUEST.GETREMOTEADDR (), the reason is that it is possible for the user to use the proxy software way to avoid the real IP address, * However, if the multi-level reverse proxy, x-forwarded-for value and more than one     , but a string of IP values, which is the real IP of the client?     * The answer is to take the first non-unknown valid IP string in x-forwarded-for.     * * such as: x-forwarded-for:192.168.1.110, 192.168.1.120, 192.168.1.130, 192.168.1.100 * * User real IP: 192.168.1.110 *      * @paramRequest *@return     */    Privatestring getipaddress (HttpServletRequest request) {string IP= Request.getheader ("X-forwarded-for"); if(IP = =NULL|| Ip.length () = = 0 | | "Unknown". Equalsignorecase (IP)) {IP= Request.getheader ("Proxy-client-ip"); }        if(IP = =NULL|| Ip.length () = = 0 | | "Unknown". Equalsignorecase (IP)) {IP= Request.getheader ("Wl-proxy-client-ip"); }        if(IP = =NULL|| Ip.length () = = 0 | | "Unknown". Equalsignorecase (IP)) {IP= Request.getheader ("Http_client_ip"); }        if(IP = =NULL|| Ip.length () = = 0 | | "Unknown". Equalsignorecase (IP)) {IP= Request.getheader ("Http_x_forwarded_for"); }        if(IP = =NULL|| Ip.length () = = 0 | | "Unknown". Equalsignorecase (IP)) {IP=request.getremoteaddr (); }        returnIP; }}

Then add the following annotations on the Springboot startup class

@ServletComponentScan ("Com.mili")

By flexibly configuring the whitelist, you can precisely control who can access it.

IP whitelist restrictions on actuator management endpoints (Springboot add filter)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.