有的时候服务被访问的时候可能会存在一些CORS漏洞,这里我们就需要设置下Access-Control-Allow-Origin,但是这个服务如果是通过istio来进行管理,那么我们怎么来限制哪些域名可以进行访问我们的服务呢?下面我们来配置下
服务部署
首先我们在k8s中部署一个nginx服务
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
| apiVersion: apps/v1
kind: Deployment
metadata:
labels:
k8s-app: nginx
qcloud-app: nginx
name: nginx
namespace: mesh
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: nginx
qcloud-app: nginx
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
template:
metadata:
labels:
k8s-app: nginx
qcloud-app: nginx
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: nginx
resources:
limits:
cpu: 500m
memory: 1Gi
requests:
cpu: 250m
memory: 256Mi
securityContext:
privileged: false
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
|
部署Gateway
这里我们用公网的ingress作为访问的入口,绑定88端口进行访问
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: nginx-gw
namespace: mesh
spec:
servers:
- port:
number: 88
name: HTTP-88-2qiw
protocol: HTTP
hosts:
- '*'
selector:
app: istio-ingressgateway
istio: ingressgateway
|
VirtualService不做任何限制
我们正常部署一个VirtualService,不做任何Origin限制,这里返回头Access-Control-Allow-Origin里面应该是*
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: nginx-vs
namespace: mesh
spec:
hosts:
- '*'
gateways:
- mesh/nginx-gw
http:
- route:
- destination:
host: nginx.mesh.svc.cluster.local
|
下面我们测试下看看,access-control-allow-origin返回确实是*
1
2
3
4
5
6
7
8
9
| [root@VM-0-3-centos grpcurl]
HTTP/1.1 200 OK
server: istio-envoy
date: Sat, 20 Mar 2021 11:18:16 GMT
content-type: text/html; charset=utf-8
content-length: 9593
access-control-allow-origin: *
access-control-allow-credentials: true
x-envoy-upstream-service-time: 2
|
VirtualService加上Origins限制
这里我们只允许origin带这2个域名才能访问nginx.niewx.cn和test.niewx.cn,注意下这里用的正则匹配,如果有多个域名用|分割开,如果有https和http可以在https后面加个?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: nginx-vs
namespace: mesh
spec:
hosts:
- '*'
gateways:
- mesh/nginx-gw
http:
- route:
- destination:
host: nginx.mesh.svc.cluster.local
corsPolicy:
allowOrigins:
- regex: 'https?://nginx.niewx.cn|https?://test.niewx.cn'
|
下面我们来测试下,看下请求里面origin带的域名在我们的配置里面会怎么样,不在我们配置的域名会怎么样
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
| [root@baron-cvm ~]
* About to connect() to 106.55.219.93 port 88 (#0)
* Trying 106.55.219.93...
* Connected to 106.55.219.93 (106.55.219.93) port 88 (#0)
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 106.55.219.93:88
> Accept: */*
> Origin: https://test.niewx.cn
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< server: istio-envoy
server: istio-envoy
< date: Sun, 21 Mar 2021 12:52:07 GMT
date: Sun, 21 Mar 2021 12:52:07 GMT
< content-type: text/html
content-type: text/html
< content-length: 612
content-length: 612
< last-modified: Tue, 09 Mar 2021 15:27:51 GMT
last-modified: Tue, 09 Mar 2021 15:27:51 GMT
< etag: "604793f7-264"
etag: "604793f7-264"
< accept-ranges: bytes
accept-ranges: bytes
< x-envoy-upstream-service-time: 0
x-envoy-upstream-service-time: 0
< access-control-allow-origin: https://test.niewx.cn
access-control-allow-origin: https://test.niewx.cn
<
* Connection
[root@baron-cvm ~]
* About to connect() to 106.55.219.93 port 88 (#0)
* Trying 106.55.219.93...
* Connected to 106.55.219.93 (106.55.219.93) port 88 (#0)
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 106.55.219.93:88
> Accept: */*
> Origin: https://nginx.niewx.cn
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< server: istio-envoy
server: istio-envoy
< date: Sun, 21 Mar 2021 12:52:16 GMT
date: Sun, 21 Mar 2021 12:52:16 GMT
< content-type: text/html
content-type: text/html
< content-length: 612
content-length: 612
< last-modified: Tue, 09 Mar 2021 15:27:51 GMT
last-modified: Tue, 09 Mar 2021 15:27:51 GMT
< etag: "604793f7-264"
etag: "604793f7-264"
< accept-ranges: bytes
accept-ranges: bytes
< x-envoy-upstream-service-time: 0
x-envoy-upstream-service-time: 0
< access-control-allow-origin: https://nginx.niewx.cn
access-control-allow-origin: https://nginx.niewx.cn
<
* Connection
[root@baron-cvm ~]
* About to connect() to 106.55.219.93 port 88 (#0)
* Trying 106.55.219.93...
* Connected to 106.55.219.93 (106.55.219.93) port 88 (#0)
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 106.55.219.93:88
> Accept: */*
> Origin: https://example.niewx.cn
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< server: istio-envoy
server: istio-envoy
< date: Sun, 21 Mar 2021 12:52:28 GMT
date: Sun, 21 Mar 2021 12:52:28 GMT
< content-type: text/html
content-type: text/html
< content-length: 612
content-length: 612
< last-modified: Tue, 09 Mar 2021 15:27:51 GMT
last-modified: Tue, 09 Mar 2021 15:27:51 GMT
< etag: "604793f7-264"
etag: "604793f7-264"
< accept-ranges: bytes
accept-ranges: bytes
< x-envoy-upstream-service-time: 1
x-envoy-upstream-service-time: 1
<
* Connection
|
从上面测试,我们分别用了test.niewx.cn、nginx.test.cn、example.niewx.cn这3个域名的https方式作为origin去请求我们的gateway,发现不在我们配置的allowOrigins白名单里面access-control-allow-origin这个字段是不存在的。但是我们发现example.niewx.cn这个域名不在allowOrigins配置,发起请求还是能正常返回内容,这是因为这里nginx的后端处理逻辑是这样,如果需要response不返回内容,需要在后端代码进行处理下跨域请求才行,配置下不在access-control-allow-origin里面就返回其他错误码。