This task was taken over from Mr. Mi (the blog of MI Xinjiang. The purpose is to add restrictions to the examination system to prevent students from logging on outside of the examination in the LAN.
It sounds easy to filter IP addresses. The final result is to verify the IP address and decide whether to have the permission to access the examination system. But it is not easy to do well. Next, we will summarize the development process.
I,Engineering Foundation: database design.
To design a project, you must first start with the requirement. The requirement is displayed on the interface and the database is displayed on the interface. Because of the simple requirements, I directly designed the database.
When designing a database, considering IP address filtering is equivalent to firewall,Similar to a mobile phone powered on FirewallBy the way. Add the rule feature to IP address filtering. There are three pre-defined rules: Do not use, only block the blacklist, and only allow the whitelist. After several design improvements, the final database structure is as follows:
Briefly describe the design ideas:
Current rule tableUsed to store in-use rules. Different validation rules are used to read different tables (blacklist or whitelist tables)
Blacklist and whitelist tablesUsed to store prohibited IP addresses and permitted IP addresses. Only one IP address is available. IP segment filtering is also supported, for example, 192.167.25 .*.
IP-MAC information tableIt is equivalent to the information library. When an IP address passes the blacklist and whitelist verification, check whether the IP address corresponds to the MAC address because someone may have modified the IP address to forge it, but the IP address does not match the MAC address.
At last, it is generally necessary to verify the IP address and MAC address at the same time. If only the IP address is verified, it is too insecure and it is very easy to forge the IP address in the LAN. If it is an Internet address, it is enough to verify the IP address. The Internet IP address is unique.
II,CodeWork path: try to obtain the visitor's IP address and MAC address on the web.
Before looking at the relevant technologies, I felt that this was an arduous task, because Mac information was very sensitive. Indeed, after investigation, it is found that it is easy to obtain the visitor's IP address on the web side, but obtaining Mac is almost a fantasy because it is too sensitive.
There are three methods to obtain the client MAC (only for overview ):
L obtained through ActiveX control. Disadvantages: only compatible with IE, and the security settings of IE should be very low. Let alone whether the user agrees or not. Microsoft was the first to disagree, and a security warning would pop up frantically. Advantages: fast speed, accurate and reliable results, universal use of Intranet and Internet.
L obtain it by calling windowsapi Based on ARP packet sending principles. Disadvantage: it can only be used within the LAN, and the Internet is invalid. Even if it is a LAN, the CIDR block is the same, otherwise it cannot be obtained. Advantage: high speed, irrelevant to the browser, and good compatibility.
L obtain it by calling the CMD command. Disadvantages: the speed is slow. The speed is as slow as that of a webpage, and the result is not reliable. Advantage: the browser is unrelated and compatible, and can be used both on the Intranet and on the Internet.
3. Code work path: Obtain the visitor's IP address and MAC address from the client.
By asking for advice from Mr Mi, I finally decided to use the client to obtain the visitor's IP address and MAC address. To use the examination system, you must first download and install the client. In this way, we can easily obtain the visitor's IP address and MAC address. Secondly, we can take the initiative to better control users.
This introduces a new problem: security. Because the information is obtained by the client and then transmitted to the web site in the form of parameters, it is likely to be manually forged.
The first solution is to encrypt the passed parameters.AlgorithmThe parameter cannot be modified or constructed.
I thought this would work. After a few days, I suddenly realized that this would not work. If computer A allows access to the website, and computer B does not, the client construct parameters on computer A are valid parameters, the client constructed on computer B is an invalid parameter. If someone intercepts valid parameters on computer A and manually copies them to computer B, computer B can log on to the system with valid parameters. We do not know whether the system is cheated. The above parameters are encrypted, and no matter how encrypted, they are futile.
The center of this issue is how to distinguish whether the parameters passed to the web site are constructed by the client or forged manually. The answer is: it cannot be differentiated!
Since it cannot be distinguished, you can change it to another angle.Inspired by online storageYou can add a validity period to the parameters constructed by the client. When the client generates a parameter, add a validity period. Assume that the parameter is 2 seconds. When the web site accepts the parameter, determine whether the parameter expires. The parameter is encrypted, so the validity period of the parameter cannot be modified unless it knows the encryption algorithm.
In this way, manual forgery is almost impossible, because the parameter's validity period is only 2 seconds, and the process of parameter construction, transmission, acceptance, and validity period determination basically consumes about 2 seconds, even if it was copied elsewhere, it was no longer valid.
Web Client responsibilities:
To enableProgramAs flexible as possible, the Web end has the following responsibilities:
L provides rules, blacklists, and whitelist management pages, that is, background control of the entire IP address filtering system.
L provides error pages. For example, if the client is not installed, access from the IP address is prohibited, parameter exceptions, and other error messages are displayed on the error page flexibly, and client download prompts are displayed or hidden based on the error type.
L provides IP scanning interfaces.Inspired by Sangfor's Network MonitoringProvides scan mode, as long as the computer installed the client, you can send commands to the client, let the client access the scan interface, automatically add the computer IP-MAC information to the database, if there is, modify, if it does not exist, add it without manual intervention.
L provides the server time interface. The validity period of the client constructor parameter must depend on the server time.
L provides client parameter interfaces. Almost all client parameters are obtained from the server. This gives you more flexible control over the client. You do not need to modify the client in the future to achieve a compilation and run permanently.
L obtain configuration information from the server.
L monitors the browser URL.
L obtain the visitor's IP address and MAC address and construct parameters.
To put it simply, the client acts according to the wishes of the server.
So far, an IP address filtering function is complete. The summary here is just a theory, and the code will not be pasted. I hope you can communicate with me and promote each other.
Finally, I would like to thank Mr. Mi.Big love!