【发布时间】:2021-12-21 18:58:55
【问题描述】:
这是another one 关于 reCaptcha 和 GCA 的后续问题。
我在以下设置中有 GKE 应用程序:
- 前端应用在
example.com上工作 - 后端应用在
api.example.com上工作
我通过 Ingress 公开这些负载,一切看起来都很酷。我想用 Cloud Armor 保护应用程序。我向api 服务添加了注释。我可以确认,如果策略只有一条规则“拒绝所有 IP”,我无法到达后端端点,如果我将规则更改为“允许所有 IP”,我可以。所以 GCA 本身工作正常。
我尝试连接 reCaptcha Enterprise 并使用 Google Cloud Armor 解释它的分数,但我无法让它工作。我创建了以下规则,但我添加的任何值 token.recaptcha.score 似乎根本没有被解释。
我有以下 3 条规则:
- 优先级:500,表达式:“request.method == 'OPTIONS'”
- 优先级:1000,表达式:“token.recaptcha.score > 0.1”
- 优先级:2147483647,表达式:deny(403) from *.
我可以看到 OPTIONS 通过了:
{
"insertId": "1xxxr",
"jsonPayload": {
"@type": "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry",
"enforcedSecurityPolicy": {
"priority": 500,
"configuredAction": "ALLOW",
"outcome": "ACCEPT",
"name": "login-security-policy"
},
"statusDetails": "response_sent_by_backend"
},
"httpRequest": {
"requestMethod": "OPTIONS",
"requestUrl": "https://api.example.com/v1/graphs?pageSize=10&orderBy=created_at%20desc&key=AxxxE",
"requestSize": "97",
"status": 200,
"responseSize": "367",
"userAgent": "XXX",
"remoteIp": "XX.XX.XX.XX",
"referer": "https://example.com/",
"serverIp": "10.10.0.33",
"latency": "0.126041s"
},
"resource": {
"type": "http_load_balancer",
"labels": {
"project_id": "xxx",
"zone": "global",
"url_map_name": "k8s2-um-dxxxd-default-main-ixxxq",
"backend_service_name": "k8s-be-3xxx9--9xxx9",
"target_proxy_name": "k8s2-ts-dxxxd-default-main-ixxxq",
"forwarding_rule_name": "k8s2-fs-dxxxd-default-main-ixxxq"
}
},
"timestamp": "2021-12-21T18:28:42.103879Z",
"severity": "INFO",
"logName": "projects/xxx/logs/requests",
"trace": "projects/xxx/traces/3xxx2",
"receiveTimestamp": "2021-12-21T18:28:43.228371341Z",
"spanId": "5xxx0"
}
但 GET 不会:
{
"insertId": "1xxxr",
"jsonPayload": {
"statusDetails": "denied_by_security_policy",
"enforcedSecurityPolicy": {
"outcome": "DENY",
"configuredAction": "DENY",
"name": "login-security-policy",
"priority": 2147483647
},
"@type": "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry"
},
"httpRequest": {
"requestMethod": "GET",
"requestUrl": "https://api.example.com/v1/graphs?pageSize=10&orderBy=created_at%20desc&key=AxxxE",
"requestSize": "1291",
"status": 403,
"responseSize": "194",
"userAgent": "XXX",
"remoteIp": "XX.XX.XX.XX",
"referer": "https://example.com/",
"latency": "0.221476s"
},
"resource": {
"type": "http_load_balancer",
"labels": {
"project_id": "xxx",
"target_proxy_name": "k8s2-ts-dxxxd-default-main-ixxxq",
"forwarding_rule_name": "k8s2-fs-dxxxd-default-main-ixxxq",
"zone": "global",
"url_map_name": "k8s2-um-dxxxd-default-main-ixxxq",
"backend_service_name": "k8s-be-3xxx9--9xxx9"
}
},
"timestamp": "2021-12-21T18:28:42.254613Z",
"severity": "WARNING",
"logName": "projects/xxx/logs/requests",
"trace": "projects/xxx/traces/5xxx0",
"receiveTimestamp": "2021-12-21T18:28:43.228371341Z",
"spanId": "axxxb"
}
这也是从浏览器导出的 GET 请求:
curl 'https://api.example.com/v1/graphs?pageSize=10&orderBy=created_at%20desc&key=AxxxE' \
-H 'authority: api.example.com' \
-H 'pragma: no-cache' \
-H 'cache-control: no-cache' \
-H 'accept: application/json, text/plain, */*' \
-H 'authorization: Bearer exxxw' \
-H 'x-recaptcha-token: Axxxo' \
-H 'user-agent: XXX' \
-H 'origin: https://example.com' \
-H 'sec-fetch-site: same-site' \
-H 'sec-fetch-mode: cors' \
-H 'sec-fetch-dest: empty' \
-H 'referer: https://example.com/' \
--compressed
【问题讨论】:
-
我不是 reCaptcha 专家。使用更多上下文编辑您的问题。我假设您使用的是 reCaptcha Enterprise。 1) 通常 reCaptcha 信息作为 POST 发送到服务器。你的设计是什么? 2) 您不能重播 reCaptchas。这将破坏目的并允许黑客绕过。在这种情况下, ALLOW 应该会失败,因此您的规则有效。 3)还有120秒的时间限制。 4)为了测试,我会在 ALLOW 之前创建一个 DENY 规则(token.recaptcha.score
-
我喜欢使用规则 --action 并为我正在测试的每个案例返回 302 和不同的 URL。这有助于我进行调试。 --action 重定向 --redirect-type external-302 --redirect-target REDIRECT_URL
-
仅供参考,我仍然与这个问题作斗争。据我所知,当 reCAPTCHA 密钥被 Google 团队列入白名单时(如 cloud.google.com/recaptcha-enterprise/docs/… 中所述),它开始生成格式错误的令牌。我在后端应用程序中实施了评估,只是为了检查发送到后端的确切内容,我可以看到,如果 reCAPTCHA 密钥没有为 Cloud Armor 列入白名单,它会生成正确的令牌,但在将其列入白名单后它会停止。
-
向 Google 提交支持案例。我对结果很感兴趣。
-
最后看来GCP有错误。现在一切正常。
标签: google-cloud-armor recaptcha-enterprise