0

这是关于 reCaptcha 和 GCA的另一个问题的后续问题。

我在以下设置中有 GKE 应用程序:

  • 前端应用程序适用于example.com
  • 后端应用程序适用于api.example.com

我通过 Ingress 暴露这些负载,一切看起来都很酷。我想用 Cloud Armor 保护应用程序。我在服务中添加了注释api。我可以确认,如果策略只有一个规则“拒绝所有 IP”,我无法到达后端端点,如果我将规则更改为“允许所有 IP”,我可以。所以 GCA 本身工作正常。

我试图连接 reCaptcha Enterprise 并用 Google Cloud Armor 解释它的分数,但我无法让它工作。我创建了以下规则,但我添加的任何值token.recaptcha.score似乎都没有被解释。

我有以下 3 条规则:

  • 优先级:500,表达式:“request.method == 'OPTIONS'”
  • 优先级:1000,表达式:“token.recaptcha.score > 0.1”
  • 优先级:2147483647,表达式:deny(403) from *.

我可以看到 OPTIONS 通过:

{
  "insertId": "1xxxr",
  "jsonPayload": {
    "@type": "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry",
    "enforcedSecurityPolicy": {
      "priority": 500,
      "configuredAction": "ALLOW",
      "outcome": "ACCEPT",
      "name": "login-security-policy"
    },
    "statusDetails": "response_sent_by_backend"
  },
  "httpRequest": {
    "requestMethod": "OPTIONS",
    "requestUrl": "https://api.example.com/v1/graphs?pageSize=10&orderBy=created_at%20desc&key=AxxxE",
    "requestSize": "97",
    "status": 200,
    "responseSize": "367",
    "userAgent": "XXX",
    "remoteIp": "XX.XX.XX.XX",
    "referer": "https://example.com/",
    "serverIp": "10.10.0.33",
    "latency": "0.126041s"
  },
  "resource": {
    "type": "http_load_balancer",
    "labels": {
      "project_id": "xxx",
      "zone": "global",
      "url_map_name": "k8s2-um-dxxxd-default-main-ixxxq",
      "backend_service_name": "k8s-be-3xxx9--9xxx9",
      "target_proxy_name": "k8s2-ts-dxxxd-default-main-ixxxq",
      "forwarding_rule_name": "k8s2-fs-dxxxd-default-main-ixxxq"
    }
  },
  "timestamp": "2021-12-21T18:28:42.103879Z",
  "severity": "INFO",
  "logName": "projects/xxx/logs/requests",
  "trace": "projects/xxx/traces/3xxx2",
  "receiveTimestamp": "2021-12-21T18:28:43.228371341Z",
  "spanId": "5xxx0"
}

但是 GET 不会:

{
  "insertId": "1xxxr",
  "jsonPayload": {
    "statusDetails": "denied_by_security_policy",
    "enforcedSecurityPolicy": {
      "outcome": "DENY",
      "configuredAction": "DENY",
      "name": "login-security-policy",
      "priority": 2147483647
    },
    "@type": "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry"
  },
  "httpRequest": {
    "requestMethod": "GET",
    "requestUrl": "https://api.example.com/v1/graphs?pageSize=10&orderBy=created_at%20desc&key=AxxxE",
    "requestSize": "1291",
    "status": 403,
    "responseSize": "194",
    "userAgent": "XXX",
    "remoteIp": "XX.XX.XX.XX",
    "referer": "https://example.com/",
    "latency": "0.221476s"
  },
  "resource": {
    "type": "http_load_balancer",
    "labels": {
      "project_id": "xxx",
      "target_proxy_name": "k8s2-ts-dxxxd-default-main-ixxxq",
      "forwarding_rule_name": "k8s2-fs-dxxxd-default-main-ixxxq",
      "zone": "global",
      "url_map_name": "k8s2-um-dxxxd-default-main-ixxxq",
      "backend_service_name": "k8s-be-3xxx9--9xxx9"
    }
  },
  "timestamp": "2021-12-21T18:28:42.254613Z",
  "severity": "WARNING",
  "logName": "projects/xxx/logs/requests",
  "trace": "projects/xxx/traces/5xxx0",
  "receiveTimestamp": "2021-12-21T18:28:43.228371341Z",
  "spanId": "axxxb"
}

这也是从浏览器导出的 GET 请求:

curl 'https://api.example.com/v1/graphs?pageSize=10&orderBy=created_at%20desc&key=AxxxE' \
  -H 'authority: api.example.com' \
  -H 'pragma: no-cache' \
  -H 'cache-control: no-cache' \
  -H 'accept: application/json, text/plain, */*' \
  -H 'authorization: Bearer exxxw' \
  -H 'x-recaptcha-token: Axxxo' \
  -H 'user-agent: XXX' \
  -H 'origin: https://example.com' \
  -H 'sec-fetch-site: same-site' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-dest: empty' \
  -H 'referer: https://example.com/' \
  --compressed
4

0 回答 0