Kong implements ban on foreign IP access

I. Requirement background

Recently, the company has observed that some foreign IPs or non-mainland China IPs have scanning access records. For business security reasons, the company's business is only carried out in mainland China, so it is necessary to prohibit foreign IP access to increase system security. At the same timeIt also avoids some black products from attacking the company's business through foreign proxy IP.

Check some online information, most people use the nginx module nginx_geoip2_module. Then download the free geoiplite2 This IP library is configured to only allow IP from zh_cn China to access, otherwise it will return 403 forbidding access to resources. Other solutions are the same idea, download the offline IP library and get the clientIP query to get the IP's attribution, such as country, city, province, etc. Finally decide whether to allow this IP to access resources.

I also wanted to use this solution at the beginning, but the current situation is a bit awkward. The system we deployed in our previous business was Centos6.3, which is an outdated system. Recompiling nginx to add this geoip2 module is risky.The business is dead, and the gains outweigh the losses. And considering a problem, the accuracy rate of this geoiplite2 free library for domestic IP is not particularly high, and I was afraid that the online IP error rate would be too high, so I finally gave up this plan.

2. Custom Kong plugin

Fortunately, all our traffic first passes through a Nginx as the total traffic entry, and then the load balancer enters the Kong cluster. The front-end Nginx does not actually do specific things. Since the front-end Nginx can't do it, then we think that in KongIt is also perfect to achieve this in the form of a plug-in.

Same as the previous idea, considering that the accuracy rate of the IP library geoiplite2 is not so high, I found several IP libraries and finally locked it

IP library of the ip2region project.Github address: https://github.com/lionsoul2014/ip2region

Why choose ip2region?

1. The ip library is relatively accurate

    2. The query speed is fast, and it supports SDKs in many languages. The key is to support Lua (haha, otherwise it would be unhappy to write a plug-in). Test it, by loading the library into the memory mode, and then query. TestAs a result, the query of an IP is about 10 microseconds. The performance is acceptable. If the performance loss is too large, Kong as a gateway entry will cause a lot of performance loss, and it is possible to drag down the business.

So now it's very simple. The idea is to write the Kong plug-in through Lua, get the IP address of the client, query the IP attribution information through ip2region, and get the country limited to "China", for example, Hong Kong, Macao and Taiwan can be excluded., or the intranet IP such as 192.168.x.x\10.x.x.x and other related IPs are allowed to pass, otherwise the response 403 is forbidden.

If you don't know how to write a Kong plugin, you can refer to my previous blog: 2022 latest Kong plug-in development tutorial

I still encountered some problems in the process. For example, the lua client SDK provided by ip2region only supports at least Lua5.3 version, because I see that the source code uses << ,>>, &, | and other related Bitwise operators, but the Lua used by our Kong is 5.1, which does not support bitwise operators.... Later, by installing the bit2 lua library, use theUse the bit32 function to replace the place of the operator, and you're done! In order to verify whether there is any problem, I used the official bench_test to test millions of IPs to output the attribution of all IPs. The two are the same, which ensures that it is OK.

Three. Effect display

The global access status test of the website: http://www.webkaka.com/UrlCheck.aspx

Non-mainland IP access to all 403 is prohibited.

The new plugin page that Kong loads into:

Kong configuration plugin page:

Four. Open source address

I found a lot of Kong plug-ins, but I couldn't find a suitable Kong plug-in to implement this function. I have open sourced the source code of the implementation, and friends who need it can refer to it.

Project address: https://github.com/dream-mo/kong-plugin-ip-region-restriction