IP地址过滤(IP Address Filtering)

IP地址过滤(IP Address Filtering)

我正在考虑为我的Rails SaaS应用实施IP地址过滤。 简而言之，我希望管理员能够指定一个或多个IP地址（或一系列IP地址），然后我的应用只接受来自指定地址的实例请求。

我正在使用IPAddress（ http://github.com/bluemonk/ipaddress ）来解析/验证每个地址/地址范围。 这是否合适？还是有更好的/更合适的图书馆？

有没有人实施过这种过滤方式，他们可以描述一种为他们工作的方法，或者是否有任何我需要担心的问题？

或者，是否有一个现有的Ruby库可以自动处理所有这些都能避免我的谷歌搜索？

非常感谢，Ash

I'm looking at implementing IP Address filtering for my Rails SaaS app. In a nutshell I want administrators to be able to specify one or more IP Addresses (or a range of IP Addresses) and then my app only accept requests on their instance from the specified addresses.

I'm looking at using IPAddress (http://github.com/bluemonk/ipaddress) for the parsing/validating of each address/range of addresses. Is this a good fit or are there better/more appropriate libraries?

Has anyone implemented this kind of filtering who could describe an approach that has worked for them or are there any gotchas I need to worry about?

Alternatively, is there an existing Ruby library that handles all of this automatically that has managed to elude my Googling?

Many Thanks, Ash

最满意答案

ipaddress是一个很棒的库（我知道作者），但除非你打算对IP地址进行一些高级操作，否则你不会需要它。

其实最简单的方法就是

存储IP地址数组以过滤某处。 您可以使用字符串表示形式（192.168.1.1）或long int表示形式。 使用字符串版本，你甚至可以允许通配符（192.168.1。*）

然后在控制器中配置一个before_filter ，它将加载禁止的IP列表并执行一个简单的字符串匹配来检查当前的request.ip_address （在rails 3中的request.remote_ip ）是否与禁用的IP匹配。 如果为true，则重定向到错误页面。

如您所见，除非需要执行其他类型的操作，否则您甚至不需要将IP转换为IP对象。

ipaddress is an awesome library (I know the author), but you won't probably need it unless you are planning to perform some advanced manipulation of IP Addresses.

In fact, the most simple way is to

store the array of IP addresses to filter somewhere. You can use the string representation (192.168.1.1) or the long int representation. With the string version, you can even allow wildcards (192.168.1.*)

then configure a before_filter in the controller that will load the list of banned IPs and perform a simple string match to check whether current request.ip_address (request.remote_ip in rails 3) matches a banned IP. If true, redirect to the error page.

As you can see, you don't even need to convert the IPs into IP objects, unless you need to perform other kind of manipulations.