客户端访问网站的整个流程图

tech2023-06-20  97

客户端访问网站的整个流程图



Trending posts on SitePoint today:

今天在SitePoint上的热门帖子:

What is HTTP/2?

什么是HTTP / 2?

Tame Unruly Style Sheets With These Three CSS Methodologies

使用这三种CSS方法来驯服不规则的样式表

Your Regular WordPress Maintenance Checklist

您的常规WordPress维护清单

Shared Server Hosting: the Pros and Cons

共享服务器托管:优点和缺点

Why Every Website Needs HTTPS

为什么每个网站都需要HTTPS



If you run a website, then by default it is accessible to the whole planet. Many websites are simply not relevant to people in other countries. So, you should not expect significant traffic from them as a matter of course.

如果您经营一个网站,则默认情况下,整个星球都可以访问该网站。 许多网站与其他国家的人们根本不相关。 因此,您当然不应期望它们会带来大量流量。

If you have a local bookstore and your primary market is local people walking into your store, then there is no need to let any other countries index or waste bandwidth on your server. The same might be true of a carwash, or babysitters, or lawn mowing.

如果您有一家本地书店,而您的主要市场是当地人走进您的商店,则无需让任何其他国家/地区在您的服务器上建立索引或浪费带宽。 洗车,保姆或割草也可能如此。

If you run a personal or even private website, such as a family blog, you may want to highly restrict traffic by default.

如果您运行个人或什至私人网站(例如家庭博客),则默认情况下您可能希望高度限制流量。

Here is a screenshot of Awstats telling me that China is responsible for the second-largest volume of traffic to a certain web forum I manage. This is just for January 2015.

这是Awstats的屏幕截图,告诉我,中国是我管理的某个网络论坛的第二大访问量。 这仅适用于2015年1月。

While it is certainly possible that Chinese people may find the content of the forum useful, there is really no explanation for this activity. We don’t cater specifically for China or advertise to attract Chinese residents. The site does not even offer Chinese translation or speak to Chinese issues.

虽然中国人可能会发现论坛的内容很有用,但实际上没有任何解释。 我们不专门针对中国,也不做广告吸引中国居民。 该网站甚至不提供中文翻译或讲中文问题。

I also happen to know that 99% of all brute force user password hack attempts are from Chinese IP addresses. Approximately 50 to 100 brute force attempts at ‘guessing’ the passwords to legitimate user names comes from Chinese IP addresses every day on this site.

我也碰巧知道,在所有暴力用户密码破解尝试中,有99%来自中国IP地址。 每天大约有50到100次蛮力尝试将密码“猜测”为合法用户名,这些密码来自该站点的中文IP地址。

The difference between 1.9 million pages and 134,000 pages is pretty large, and 1.86GB of bandwidth is not the end of the world. But when I know that 99% of it is bogus, bots, brute force hacks, vulnerability scanners, and web crawlers, then why wouldn’t I just block China from accessing my site?

190万页和134,000页之间的差异非常大,而1.86GB的带宽并不是世界末日。 但是,当我知道其中99%是伪造的,僵尸程序,暴力破解,漏洞扫描程序和网络爬虫时,我为什么不阻止中国访问我的网站?

There are some reasons against blocking access to countries too. The obvious example are hotels. Even though they cater only to local people who walk in the door for a stay, foreigners traveling to the area will be searching for hotels before they get there. The same argument can be used for fancy restaurants, resorts, car rentals, commuter services and so on. You will have to decide (and check your web stats!) whether blocking particular countries will benefit you or not.

也有一些原因阻止访问国家。 明显的例子是酒店。 即使他们只迎合步行进门的当地人,前往该地区的外国人也将在到达那里之前寻找旅馆。 相同的论点可用于高档餐厅,度假村,汽车租赁,通勤服务等。 您将必须决定(并检查您的网络统计信息!)屏蔽特定国家/地区是否会对您有利。

Below are many of the common ways to block countries, with some pros and cons and code samples.

以下是封锁国家/地区的许多常见方式,并有一些利弊和代码示例。

.htaccess (.htaccess)

If you are a web admin, you may know that trying to do some things (like block entire countries through .htaccess) is a losing game. Legit hackers use proxies or bot farms to do their dirty work. Just because an IP is from China, it doesn’t mean blocking that IP will do a lick of good in the long run.

如果您是网络管理员,您可能会知道尝试做一些事情(例如通过.htaccess阻止整个国家/地区)是一场失败的游戏。 合法的黑客使用代理服务器或漫游器农场来进行肮脏的工作。 仅仅因为IP来自中国,并不意味着阻止IP从长远来看会带来好处。

Web admins will rarely block an IP simply because that IP did naughty things once. A real hacker would not use their own personal IP and there is no guarantee that the IP will always remain with an unscrupulous user.

Web管理员很少会仅仅因为IP曾经做过顽皮的事情而阻塞IP。 真正的黑客不会使用自己的个人IP,因此不能保证IP始终由不道德的用户使用。

Legitimate users might use proxies too! Be aware if you block a not-so-bad country just because you think they are irrelevant to your traffic, you may have users using proxies or VPNs in that country.

合法用户也可以使用代理! 请注意,如果仅因为您认为它们与您的流量无关,就阻止了一个不太糟糕的国家/地区,则您可能会让该国家/地区的用户使用代理或VPN。

It is also a losing game because there are over four billion IPv4 IPs out there and no easy way to segregate them by country. In other words, your .htaccess or Apache config file (or other ACL/firewall) is likely to grow to hundreds of thousands of lines of text if you wanted to block countries yourself this way. It’s not practical, nor performant.

这也是一个失败的游戏,因为那里有超过40亿个IPv4 IP,而且没有简单的方法可以按国家对它们进行隔离。 换句话说,如果您希望自己屏蔽国家/地区,则.htaccess或Apache配置文件(或其他ACL /防火墙)可能会增长到成千上万行文本。 这既不实用, 也不表现 。

If you want to see how many lines it would take in .htaccess to block a country, try using ip2location. To block the US, you need over 150,000 lines of text!

如果您想查看.htaccess封锁一个国家需要多少行,请尝试使用ip2location 。 要封锁美国,您需要超过150,000行文字!

The bottom line is this, do not use .htaccess or Apache config or any other web server ACL to try and block countries. It may be fine for a handful of IPs, but these files are read on every request and are not cached; it will hurt you eventually.

最重要的是,请勿使用.htaccess或Apache配置或任何其他Web服务器ACL来尝试阻止国家/地区。 几个IP可能很好,但是这些文件在每次请求时都会读取,并且不会被缓存; 最终会伤到你

TIP: If you are interested in going the .htaccess route anyway, and want to get an accurate, ‘right from the source’, daily updated list of IPs by country, you might start by reading what this guy has done to automate things.

提示:如果您仍然对使用.htaccess路由感兴趣,并且想要获取准确的“从源头开始”,按国家/地区每天更新的IP列表,则可以先阅读此人为使事情自动化所做的事情。

The actual code to block an IP using .htaccess can be as simple as this:

使用.htaccess阻止IP的实际代码可以很简单:

Order Deny,Allow Deny from 1.1.1.1 Deny from 2.2.2.2 Deny from 3.3.3.3

You can generate code by using this tool.

您可以使用此工具生成代码。

You can get much more advanced, such as limiting based on what protocol is used, but this is the basic idea. Your .htaccess file would grow out of control!

您可以获得更高级的信息,例如根据所使用的协议进行限制,但这是基本思想。 您的.htaccess文件将失去控制!

使用具有阻止作为其内置控件的一部分的托管公司 (Use a Hosting Company That Has Blocking as Part of Their Built-in Controls)

This sounds nice, but is very rare. Most hosting companies provide servers in such a way as to make this a feature they cannot offer. The two main types are:

听起来不错,但很少见。 大多数托管公司以无法提供此功能的方式提供服务器。 两种主要类型是:

裸机 (Bare Metal)

A bare metal or VPS is a machine that you have complete control over. From software firewalls to hosting software and control panels, it’s all in your hands.

裸机或VPS是您完全控制的机器。 从软件防火墙到托管软件和控制面板,一切都在您手中。

These might be a DigitalOcean Droplet or a bare metal server from InMotionHosting or Rackspace for example.

例如,它们可能是DigitalOcean Droplet或InMotionHosting或Rackspace的裸机服务器。

Often when you buy a bare metal or VPS, you do not get to change how the back end is routing. I have not found a host that has country blocking as part of its default plan and configuration. At best they give you a basic firewall for adding IPs to blacklists or whitelists.

通常,当您购买裸机或VPS时,不必改变后端的布线方式。 我没有发现默认设置和配置中包含阻止国家/地区的主机。 充其量,它们为您提供了将IP添加到黑名单或白名单的基本防火墙。

共享主机 (Shared Hosting)

You might get a server configured with Plesk control panel or cPanel. These are simply control panels for dealing with databases, emails, backups and many other things. A shared server typically comes with a control panel, but you can’t enable networking controls, which would then affect the other websites hosted on the shared server with the same IP.

您可能会在服务器上配置Plesk控制面板或cPanel。 这些只是用于处理数据库,电子邮件,备份和许多其他事情的控制面板。 共享服务器通常带有控制面板,但是您无法启用网络控制,这将影响共享服务器上具有相同IP的其他网站。

At best, a control panel will let you easily add IPs to a firewall, or allow editing of .htaccess, but I’ve not seen one with one-click controls to block traffic by country.

充其量,一个控制面板可以让您轻松地将IP添加到防火墙,或允许编辑.htaccess,但是我还没有看到一键式控制按国家/地区阻止流量的功能。

Here is my cPanel IP blocker:

这是我的cPanel IP阻止程序:

In short, the hosting company itself is not likely to help you out here and you won’t be able to block IPs through a control panel one by one!

简而言之,托管公司本身不太可能在这里为您提供帮助,您将无法通过控制面板逐个阻止IP!

Country blocking does seem like something you’d think a web host could allow, which is why I included this category, but surprisingly I can’t find any that do.

阻止国家/地区封锁似乎是您认为网络托管商可以允许的事情,这就是为什么我将这一类别包括在内,但令人惊讶的是,我找不到任何这样做的地方。

内容交付网络 (Content Delivery Networks)

This is not an all-encompassing solution for your entire website, but it does partially solve the issue. If your website delivers static content like media files, images, or other files, you can use a CDN with built-in geo tools to block access to certain countries.

这不是整个网站的全面解决方案,但确实可以部分解决问题。 如果您的网站提供诸如媒体文件,图像或其他文件之类的静态内容,则可以使用带有内置地理工具的CDN来阻止对某些国家/地区的访问。

A big player here is Amazon CloudFront. Read the details page and scroll to the section titled ‘Geo Restriction’. Quote:

Amazon CloudFront是其中的佼佼者。 阅读详细信息页面,然后滚动到标题为“地理限制”的部分。 引用:

Geo Restriction or Geoblocking lets you choose the countries in which you want to restrict access to your content. By configuring either a whitelist or a blacklist of countries you can control delivery of your content through Amazon CloudFront only to countries where you have the license to distribute.

通过“地理限制”或“地理封锁”,您可以选择要限制对其内容进行访问的国家/地区。 通过配置国家白名单或黑名单,您可以控制仅通过Amazon CloudFront将内容传送到您有权分发许可证的国家。

Most good CDNs will have some form of Geo-restriction. Another example is Akamai, which not only allows blocking by country code, but you can also block based on their US embargoed country list.

大多数优质CDN都将具有某种形式的地理限制。 另一个例子是Akamai,它不仅允许按国家/地区代码进行屏蔽,还可以根据其美国禁运的国家/地区列表进行屏蔽。

If you have a CDN delivering your content, you probably are not that worried about bandwidth (unless you pay extra for it at the CDN!). But it helps in other ways, such as with licensing if you aren’t allowing your media to be viewed or heard in certain countries.

如果您有CDN来传送内容,则可能不必担心带宽(除非您在CDN上为它付出了额外的费用!)。 但这在其他方面有帮助,例如,如果您不允许在某些国家/地区查看或收听媒体,则可以使用许可。

Apache模块 (Apache Modules)

You don’t have to fill your .htaccess file with thousands of lines of IPs. Instead, you can install a C library and an Apache module to do the heavy lifting for you.

您不必用数千行IP填充.htaccess文件。 相反,您可以安装C库和Apache模块来为您完成繁重的工作。

MaxMind provides a popular free database that is often used for IP lookups. Their GeoLite2 is a free database that is updated monthly. Their paid product is more accurate and updated more frequently if you require that.

MaxMind提供了一个流行的免费数据库,该数据库通常用于IP查找。 他们的GeoLite2是一个免费数据库,每月更新一次。 如果需要,他们的付费产品更加准确,并且更新频率更高。

By using this database and installing one of their various APIs, you can handle traffic as you see fit.

通过使用此数据库并安装其各种API之一 ,您可以根据需要处理流量。

For our purposes, you would need to install the C library API as well as the Apache module. Once those are working and enabled, place the database file somewhere, and then you can set up your country blocks with code as simple as this in the .htaccess or Apache config file:

出于我们的目的,您需要安装C库API和Apache模块。 一旦启用并启用了这些功能,请将数据库文件放在某个位置,然后您可以在.htaccess或Apache配置文件中使用如下所示的简单代码来设置国家/地区代码块:

MaxMindDBEnable On MaxMindDBFile DB /path/to/GeoIP/GeoLite2-Country.mmdb MaxMindDBEnv MM_COUNTRY_CODE DB/country/iso_code SetEnvIf MM_COUNTRY_CODE ^(RU|DE|FR) BlockCountry Deny from env=BlockCountry

This would block Russia, Germany, and France. Get your two-letter ISO country codes here.

这将封锁俄罗斯,德国和法国。 在此处获取两个字母的ISO国家/地区代码。

This would perform much better than your server having to parse thousands of lines of text on every request in the .htaccess file!

这将比服务器必须解析.htaccess文件中每个请求的数千行文本要好得多!

You do need advanced access to your server to install the library and module, so this is no good on shared hosts or where you don’t have such access on a VPS.

您确实需要对服务器具有高级访问权限才能安装库和模块,因此在共享主机上或在VPS上没有此类访问权限的地方这是不好的。

This would also work if, for some reason, you wanted specific blocking rules at the folder level.

如果出于某种原因,您想要在文件夹级别使用特定的阻止规则,这也将起作用。

应用层 (The Application Layer)

The fastest blocking will happen when it is off your server entirely, handled at the routing level or by separate DNS servers or a proxy, before the traffic ever even hits your web server. The next fastest will be with the software firewall as part of the operating system, before the traffic routes to your web server software.

当流量完全到达您的Web服务器之前,如果完全不在服务器上,以路由级别或由单独的DNS服务器或代理进行处理,则将发生最快的阻塞。 下一个最快的是将软件防火墙作为操作系统的一部分,然后将流量路由到您的Web服务器软件。

We’ve talked about blocking at the level of the web server such as with Apache configs or .htaccess, but now we reach the very top, the 7th level of the OSI, at the Application Layer.

我们已经讨论过在Web服务器级别进行阻塞,例如使用Apache configs或.htaccess,但是现在我们到达了应用程序层的最高层,即OSI的第七层。

You can block at the application layer by using the same MaxMind APIs mentioned before. This time, you can install the PHP or .NET or Perl APIs to help you make geo-location decisions right in your application logic.

您可以使用前面提到的相同的MaxMind API在应用程序层进行阻止。 这次,您可以安装PHP或.NET或Perl API,以帮助您直接在应用程序逻辑中做出地理位置决定。

This may be necessary if you need to make decisions like show a different page for different countries or languages or have completely different offerings based on country and need to change the core logic of your application in some way.

如果您需要做出决定,例如针对不同的国家或地区显示不同的页面,或者根据国家/地区提供完全不同的产品,并且需要以某种方式更改应用程序的核心逻辑,则这可能是必要的。

Read this for an idea of how it’s done in PHP.

阅读本文以了解如何在PHP中完成操作。

This is going to be one of the slowest methods, since you have to do a lookup on their IP and verify it before your code can fully compile a page. Multiply this by thousands of visits a day and you may be dealing with some lag in performance if you are not highly optimized.

这将是最慢的方法之一,因为您必须先查询其IP,然后对其进行验证,然后代码才能完全编译页面。 每天将其乘以成千上万次访问,如果您没有高度优化,则可能会遇到性能方面的滞后。

I don’t prefer doing full blocking at the application layer. By the time the person gets blocked, they have already communicated with your server, sent some data, used bandwidth, taken a few CPU cycles, etc. But in some special cases, this may be exactly the method you require.

我不喜欢在应用程序层进行完全阻止。 到该人被阻止时,他们已经与您的服务器通信,发送了一些数据,使用了带宽,花费了一些CPU周期等。但是在某些特殊情况下,这可能正是您所需要的方法。

App layer blocking comes in any imaginable form, you can find APIs and data files for whatever language you require. Some pre-built software, especially e-commerce software, more than likely has geo-targeting tools built right in, such as Prestashop. They will change things like the displayed currency based on the geo data.

应用程序层阻止以任何可以想象的形式出现,您可以找到所需语言的API和数据文件。 一些预先构建的软件,尤其是电子商务软件,很可能内置了地理定位工具,例如Prestashop。 他们将根据地理数据更改诸如显示的货币之类的东西。

我真的必须处理API等问题吗? (Do I Really Have to Deal with APIs and Such?)

Of course not! One of the coolest ways to do this at the application layer is with any number of available (and free) web APIs.

当然不是! 在应用程序层执行此操作的最酷方法之一是使用任意数量的可用(免费)Web API。

For example, freegeoip.net will send you geo data just by accessing their URL in the form of “freegeoip.net/{format}/{IP_or_hostname}” where the format is csv, xml, json, or jsonp.

例如, freegeoip.net只需通过以“ freegeoip.net/{format}/{IP_or_hostname}”的形式访问其URL 即可向您发送地理数据,其中格式为csv,xml,json或jsonp。

All you would have to do is grab the user’s IP, send it to the URL and parse the response! Freegeoip allows up to 10,000 queries an hour but if you need more, you can download their server for free and run your own service!

您所要做的就是获取用户的IP,将其发送到URL并解析响应! Freegeoip每小时最多允许10,000个查询,但是如果您需要更多查询,则可以免费下载其服务器并运行自己的服务!

Not only can you grab the country code, but you can read right down to the city, ZIP, time zone, and GPS coordinates.

您不仅可以获取国家/地区代码,还可以直接读取城市,邮政编码,时区和GPS坐标。

Naturally, this method introduces its own lag as you wait for a response from an entirely different domain, but we’re not talking seconds here! It’s pretty fast, and apparently they can serve 10,000 queries an hour for many users at once, so that is something.

自然,当您等待来自完全不同的域的响应时,此方法会引入其自身的滞后,但是在这里我们不说几秒钟! 它的速度非常快,很明显,他们每小时可以一次为许多用户提供10,000个查询,这就是事实。

路由表 (Routing Tables)

I briefly mentioned blocking at the firewall level; this is certainly an option too. This may be one of the least automatable solutions, unless you are a hardened server admin.

我简要提到了在防火墙级别进行阻止。 这当然也是一种选择。 除非您是强化的服务器管理员,否则这可能是自动化程度最低的解决方案之一。

This would naturally reduce the overhead from your web server software (such as Apache), and you wouldn’t have to do the coding yourself at the application level either.

这自然会减少Web服务器软件(例如Apache)的开销,并且您也不必自己在应用程序级别进行编码。

I would generally think that trying to keep routing tables up to date with accurate IPs would become a maintenance headache. I wouldn’t go this route unless the number of IPs you need to block are minimal and you are very comfortable editing the firewall tables and automating their updates.

我通常会认为,尝试使用准确的IP来使路由表保持最新状态将成为维护的麻烦。 除非您需要阻止的IP数量最少,并且您非常舒适地编辑防火墙表并自动更新它们,否则我不会走这条路。

In any case, check out ipdeny.com where you can download country lists as zone files. Their zone file is really just text with one CIDR address per line.

无论如何,请访问ipdeny.com ,在这里您可以将国家/地区列表下载为区域文件。 他们的区域文件实际上只是每行一个CIDR地址的文本。

For some instructions on using iptables and scripting this process in Linux, read this.

有关在Linux中使用iptables和对该过程进行脚本编写的一些说明, 请阅读this 。

Even though this removes some overhead from the web server, having thousands of lines to deal with in the router can introduce overhead of its own kind. This really isn’t the best method I think.

即使这从Web服务器上消除了一些开销,路由器中要处理的数千行线路也可能会引入其自身的开销。 这确实不是我认为的最佳方法。

This method does have a different effect though. Any blocked IPs are not just blocked from port 80 web traffic, but literally blocked from any access to your server whatsoever! Other methods might block China from visiting your web page, but it doesn’t stop them from trying to log in to root over SSH!

但是,此方法确实具有不同的效果。 任何被阻止的IP不仅会被端口80 Web流量阻止,而且实际上会阻止对服务器的任何访问! 其他方法可能会阻止中国访问您的网页,但不会阻止他们尝试通过SSH登录root!

This hardened security is much better set up with a negative security model, just block everything except a few valid access points in your router, rather than trying to block huge chunks of the planet!

使用否定的安全模型可以更好地设置这种强化的安全性,只阻止路由器中除几个有效访问点之外的所有内容,而不要尝试阻止地球上的大块数据!

This method is also not for shared hosting or locked down servers where you can’t access the routing programs or perform mass updates to them.

此方法也不适用于无法访问路由程序或对其进行批量更新的共享主机或锁定服务器。

ModSecurity (ModSecurity)

ModSecurity is a web application firewall for Apache, IIS, and Nginx for protecting against many types of attacks and allows for HTTP traffic monitoring, logging, and real-time analysis.

ModSecurity是用于Apache,IIS和Nginx的Web应用程序防火墙,用于防御多种类型的攻击,并允许HTTP流量监视,日志记录和实时分析。

You can install and configure this on a bare server if you have the skillz! If you have a host that gives you WebHostManager (WHM), you can configure it from within the WHM interface.

如果您有技能,则可以在裸机上安装和配置它! 如果您拥有可提供WebHostManager(WHM)的主机,则可以从WHM界面内对其进行配置。

ModSecurity is configured with its own language called ModSecurity Rule Language which is designed to work with HTTP transaction data.

ModSecurity使用其自己的称为ModSecurity Rule Language的语言进行配置,该语言旨在与HTTP事务数据一起使用。

ModSecurity is a huge topic all on its own, with many different forms of protection it can offer. For our purposes though, it has built-in support for the previously-mentioned MaxMind database for GeoIP lookups and rules.

ModSecurity本身就是一个巨大的话题,它可以提供许多不同形式的保护。 但是出于我们的目的,它内置了对前面提到的用于GeoIP查找和规则的MaxMind数据库的支持。

Here is a sample rule for ModSecurity to block China:

这是ModSecurity封锁中国的示例规则:

SecGeoLookupDb /path/to/geo/data/GeoIP.dat SecRule REMOTE_ADDR "@geoLookup" "chain,id:20,drop,msg:'Block China IP address'" SecRule GEO:COUNTRY_CODE "@streq CN"

For this to work, you have to pay attention to which MaxMind database you use, and your implementation of ModSecurity.

为此,您必须注意使用哪个MaxMind数据库以及ModSecurity的实现。

If you use WHM, here is what you would do.

如果您使用WHM,则将执行以下操作。

First download the legacy country database found here. It’s important to get the legacy database in *.dat format, as the Apache ModSecurity module can’t use the newer *.MMDB format yet.

首先下载在此处找到的遗留国家数据库。 以* .dat格式获取旧数据库非常重要,因为Apache ModSecurity模块尚不能使用较新的* .MMDB格式。

A faster way is to first create a folder to store the database file, I used /usr/share/geoip/ which is pretty common.

一种更快的方法是首先创建一个文件夹来存储数据库文件,我使用了/usr/share/geoip/ ,这很常见。

Use this command to download the file each month (it updates on the first Tuesday of the month).

使用此命令每月下载文件(它在该月的第一个星期二更新)。

wget -N http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz

Many people will download the latest version on Wednesday or Thursday, just in case they are behind in updating the file.

许多人会在星期三或星期四下载最新版本,以防万一他们没有及时更新文件。

Once it downloads, extract with this command:

下载后,请使用以下命令解压缩:

gzip -df GeoIP.dat.gz

The switches tell it to “deflate” and overwrite the existing file.

开关告诉它“缩小”并覆盖现有文件。

Now, log in to WHM and go to Security Center->ModSecurity Configuration. Scroll down to “Geolocation Database” and put in the path from above.

现在,登录到WHM并转到“安全中心”->“ ModSecurity配置”。 向下滚动到“地理位置数据库”,然后从上方放入路径。

You might also make sure the Rules Engine is set to process rules. Then save the changes.

您还可以确保将规则引擎设置为处理规则。 然后保存更改。

Next go to the ModSecurity Tools section. You will see the current “Hits List” showing actions performed by any active rules. Click the “Rules List” button and then click “Add Rule”.

接下来转到“ ModSecurity工具”部分。 您将看到当前的“命中列表”,其中显示了任何活动规则执行的操作。 单击“规则列表”按钮,然后单击“添加规则”。

Copy this rule:

复制此规则:

# Test IP address and block by country code SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,drop,log,msg:'Blocking China IP Address'" SecRule GEO:COUNTRY_CODE "@streq CN"

Click the checkbox to “Enable Rule” as well as the checkbox to “Deploy and Restart Apache” and then Save.

单击复选框以“启用规则”以及复选框以“部署并重新启动Apache”,然后单击“保存”。

Within no time, you should see your new rule blocking some traffic.

您很快就会看到新规则阻止了一些流量。

Just be sure to know that if you use this technique, it will block for ALL domains hosted under WHM! If you want to block based only on particular domains, you’ll need additional configuring. None of my domains hosted on this WHM server need readership from China, so I’ve chosen to block for all domains.

只要确保知道,如果您使用此技术,它将阻止WHM下托管的所有域! 如果要仅基于特定域进行阻止,则需要进行其他配置。 我在此WHM服务器上托管的所有域都不需要来自中国的读者,因此,我选择禁止所有域。

Also note that if your WHM doesn’t have the menu like mine does, you may not be up to date. Make sure you’re on the latest, which at this time happens to be 11.48.0 (build 12).

另请注意,如果您的WHM没有像我的菜单一样的菜单,则您可能不是最新的。 确保您使用的是最新版本,此时恰好是11.48.0(内部版本12)。

If you don’t have WHM, you would have to install and configure ModSecurity manually and likely use the other (non-legacy) database as well.

如果没有WHM,则必须手动安装和配置ModSecurity,并且可能还使用其他(非旧版)数据库。

也… (Also…)

You should check out the offerings at ConfigServer as well. Not only do they have their own security and firewall product, but it integrates with cPanel products. They even have a plugin for WHM/cPanel for added control of ModSecurity.

您还应该在ConfigServer上查看产品。 他们不仅拥有自己的安全和防火墙产品,而且还与cPanel产品集成在一起。 他们甚至有一个用于WHM / cPanel的插件,以增加对ModSecurity的控制。

The WAF (Web Application Firewall) space has many options and is a large topic on its own. There are many contenders here and even bare metal appliances that do this work such as from Barracuda.

WAF(Web应用程序防火墙)空间具有许多选项,并且单独是一个大主题。 这里有很多竞争者,甚至有梭子鱼这样的裸机也可以完成这项工作。

在您的域上使用代理服务 (Use a Proxy Service on Your Domain)

Our last method involves hiding your domain behind a proxy service that essentially handles all the source traffic before forwarding them on to your server.

我们的最后一种方法是将您的域隐藏在代理服务之后,该服务本质上会处理所有源流量,然后再将其转发到您的服务器上。

This works at the DNS level and often all you need to do is change DNS settings to use them.

这在DNS级别有效,通常您要做的就是更改DNS设置以使用它们。

The most famous player here is going to be CloudFlare by a landslide.

这里最著名的玩家将是CloudFlare 。

Not only does your site work by going through their proxy, but they also provide security features and content delivery and many other controls. If you have a small(ish) site and don’t require their advanced features, there is almost no reason why you shouldn’t protect your site behind their completely free plan. View plans for details. And did I mention they are pretty good at dealing with DOS attacks?

您的网站不仅可以通过其代理工作,而且还提供安全功能,内容交付和许多其他控件。 如果您的站点很小,并且不需要其高级功能,那么几乎就没有理由不应该在完全免费的计划下保护您的站点。 查看计划以获取详细信息。 我是否提到他们非常擅长应对DOS攻击?

They also act as a reverse proxy, with CDN services and serving your content with geo-targeting servers. Because of this, they can inject content into your site such as additional analytics or various “apps” you can add. An example of an app is the ‘A Better Browser’ app which would notify your users if they use an out of date browser. They do this without you having to code anything additional into your site or build that logic yourself.

它们还充当CDN服务的反向代理,并通过地理位置定位服务器为您的内容提供服务。 因此,他们可以将内容(例如附加分析或您可以添加的各种“应用”)注入您的网站。 应用程序的一个示例是“更好的浏览器”应用程序,如果用户使用的是过时的浏览器,它将通知您。 他们这样做,而无需您在站点中编写任何其他代码或自行构建该逻辑。

Blocking a country couldn’t be easier. Just log in and go to ‘Threat Control’, then where it says ‘Add custom rule’, start typing the full country name and then click it from the dropdown list. Click the big red ‘Block’ button and you’re done!

封锁一个国家再容易不过了。 只需登录并转到“威胁控制”,然后在其上显示“添加自定义规则”,开始输入完整的国家/地区名称,然后从下拉列表中单击即可。 点击红色的大“阻止”按钮,操作完成!

Block any countries you need to and then you’ll see them listed in your ‘Block list’.

屏蔽所需的任何国家/地区,然后您会在“屏蔽列表”中看到它们。

This may be the fastest and easiest way to enable some level of protection, CDN support, reverse proxy caching, and country-blocking abilities on a domain. You can stick your domain on CloudFlare and get it protected and setup in about 10 minutes.

这可能是在域上启用某种级别的保护,CDN支持,反向代理缓存和国家/地区阻止功能的最快和最简单的方法。 您可以将域粘贴在CloudFlare上,并在大约10分钟内对其进行保护和设置。

I will mention one other player here and that is Incapsula. They do a lot of the same stuff and compete directly with ClourFlare. They also have a free plan you can use on unlimited domains with basic features. With CloudFlare you have to change your NS records, but Incapsula requires only a CNAME, which may better fit how your DNS is handled.

我会在这里提到另一个玩家,那就是Incapsula 。 他们做很多相同的事情,并直接与ClourFlare竞争。 他们还有一个免费计划,您可以在具有基本功能的无限域中使用。 使用CloudFlare,您必须更改您的NS记录,但是Incapsula只需要一个CNAME,这可能更适合您处理DNS的方式。

If you are serious about using proxy services (and you should highly consider it anyway), do research on both CloudFlare and Incapsula for the best option for your needs.

如果您认真使用代理服务(无论如何都应该高度考虑),请对CloudFlare和Incapsula进行研究,以找到满足您需求的最佳选择。

tl;dr – There just happens to be a fairly in depth analysis of CloudFlare vs. Incapsula vs. ModSecurity on Slideshare by Zero Science Lab, check it out.

tl; dr –零科学实验室在Slideshare上对CloudFlare,Incapsula和ModSecurity进行了相当深入的分析, 请查看 。

有关安全性的摘要说明 (A Summary Note about Security)

I spent a little more time on ModSecurity and CloudFlare because I tend to believe those are your best options today. I don’t think you should be bothering with .htaccess or firewall rules. Some situations may require geo-restrictions at the application layer so that is a good option where necessary.

我花了更多时间在ModSecurity和CloudFlare上,因为我倾向于认为这些是您今天的最佳选择。 我认为您不应该为.htaccess或防火墙规则所困扰。 在某些情况下,可能需要在应用程序层进行地理限制,因此在必要时这是一个不错的选择。

At the end of the day, you should really be looking in to CloudFlare, Incapsula, and ModSecurity to provide you with a large degree of protection against today’s attacks and security issues. Or look in to other WAF solutions.

归根结底,您应该真正着眼于CloudFlare,Incapsula和ModSecurity,为您提供针对当今攻击和安全问题的广泛保护。 或查看其他WAF解决方案。

When you install ModSecurity with WHM, there are many default rules that begin protecting you from things you never even thought about. For example mine started blocking requests using the protocol “COOK” as opposed to GET or POST. Why? Because apparently this protocol is sometimes handled by a built-in compiler in the OS and is exploitable over the web. Who knew? It was probably a successful hack at some point in time, not sure if it’s long-since been fixed though.

当使用WHM安装ModSecurity时,有许多默认规则开始保护您免受您从未想到的事情的侵害。 例如,我的使用“ COOK”协议而不是GET或POST开始阻止请求。 为什么? 因为显然该协议有时是由OS中的内置编译器处理的,并且可以通过Web使用。 谁知道? 在某个时间点它可能是成功的hack,但不确定它是否已长期修复。

If you install ModSecurity from scratch, it comes with no rules by default. The most common thing to do is install a rule set that is ready-made. The best is the OWASP ModSecurity Core Rule Set (CRS). This protects against many known hack techniques and bad behaviors such as requesting content with the COOK protocol!

如果从头开始安装ModSecurity,则默认情况下它没有任何规则。 最常见的做法是安装一个现成的规则集。 最好的是OWASP ModSecurity核心规则集(CRS) 。 这样可以防止许多已知的黑客技术和不良行为,例如使用COOK协议请求内容!

If you use ModSecurity, you have to watch out for false positives. Be prepared to deal with them and watch for blocked traffic you would normally have allowed. Keep an eye on the logs for anything interesting.

如果使用ModSecurity,则必须提防误报。 准备好应对它们,并注意您通常允许的阻塞流量。 随时注意日志中是否有有趣的事情。

进一步阅读 (Further Reading)

If you’re looking for some additional, related reading, why not try:

如果您正在寻找其他相关的阅读材料,为什么不尝试:

The Battle of CDNs: Comparing CloudFlare and Incapsula

CDN之战:比较CloudFlare和Incapsula

5 Reasons Why You Should Be Using a CDN with WordPress

您应该在WordPress上使用CDN的5个原因

Content Delivery Networks (CDN) : Get to the Edge!

内容交付网络(CDN):走到边缘!

结论 (Conclusion)

I didn’t have the space to provide exact install and code examples for every method of blocking countries, but I hope you found something useful just the same.

我没有空间为每种阻止国家/地区的方法提供确切的安装和代码示例,但我希望您发现同样有用的内容。

There are some web admins who would slap me silly for even suggesting blocking countries at all, but it is totally up to you and you may have perfectly valid reasons for doing it on your own domains, so I don’t care!

有些网络管理员甚至会建议我完全封锁国家,这会愚蠢地打我一巴掌,但这完全取决于您,您可能有完全正当的理由在自己的域上这样做,所以我不在乎!

I would also like to know if you know any web hosts that have built-in, out-of-the-box support for geo-restrictions with no fuss or advanced setup. I couldn’t find any!

我还想知道您是否知道有任何网络主机内置,开箱即用的地理限制支持,而无需大惊小怪或进行高级设置。 我找不到任何东西!

If I missed some techniques, feel free to share them. If you’d like a more in-depth article on using a particular technique in a particular environment, maybe we can kick up that discussion in the forums.

如果我错过了一些技巧,请随时分享。 如果您想获得有关在特定环境中使用特定技术的更深入的文章,也许我们可以在论坛中进行讨论。

翻译自: https://www.sitepoint.com/how-to-block-entire-countries-from-accessing-website/

客户端访问网站的整个流程图

最新回复(0)