IP黑白名单Tiny-Universe:访问控制策略深度解析
项目地址: https://gitcode.com/datawhalechina/tiny-universe 引言:为什么需要IP访问控制?
在大模型应用部署过程中,安全访问控制是确保系统稳定性和数据安全的关键环节。随着Tiny-Universe项目的广泛应用,IP黑白名单机制成为保护模型服务免受异常访问、控制访问权限的重要技术手段。
读完本文你将掌握:
- IP黑白名单的核心原理与实现机制
- 基于Python的高性能访问控制实现
- 分布式环境下的IP策略管理
- 实时动态更新黑白名单的最佳实践
- 与Tiny-Universe项目集成的完整方案
IP黑白名单基础概念
什么是IP黑白名单?
IP黑白名单(IP Whitelist/Blacklist)是一种基于网络层(第三层)的访问控制机制:
- 白名单(Whitelist):只允许列表中的IP地址访问系统
- 黑名单(Blacklist):阻止列表中的IP地址访问系统
- 灰名单(Greylist):临时限制某些IP的访问权限
核心应用场景
Tiny-Universe IP访问控制架构设计
系统架构概览
核心组件设计
| 组件名称 | 功能描述 | 技术实现 |
|---|---|---|
| IP解析器 | 解析客户端IP地址 | socket.inet_pton |
| 规则引擎 | 匹配IP与规则列表 | CIDR匹配算法 |
| 缓存层 | 提高查询性能 | Redis/LRU缓存 |
| 日志系统 | 记录访问行为 | 结构化日志 |
| 管理接口 | 动态更新规则 | RESTful API |
实现代码:高性能IP匹配引擎
基础IP验证类
import ipaddress
import re
from typing import List, Set, Union
from functools import lru_cache
class IPAccessControl:
"""IP访问控制核心类"""
def __init__(self):
self.whitelist: Set[Union[ipaddress.IPv4Network, ipaddress.IPv6Network]] = set()
self.blacklist: Set[Union[ipaddress.IPv4Network, ipaddress.IPv6Network]] = set()
self.default_policy: str = "deny" # 默认策略: deny或allow
def add_to_whitelist(self, ip_range: str) -> bool:
"""添加IP到白名单"""
try:
network = ipaddress.ip_network(ip_range, strict=False)
self.whitelist.add(network)
return True
except ValueError:
return False
def add_to_blacklist(self, ip_range: str) -> bool:
"""添加IP到黑名单"""
try:
network = ipaddress.ip_network(ip_range, strict=False)
self.blacklist.add(network)
return True
except ValueError:
return False
@lru_cache(maxsize=10000)
def is_allowed(self, ip_str: str) -> bool:
"""检查IP是否允许访问"""
try:
ip_addr = ipaddress.ip_address(ip_str)
# 首先检查黑名单
for black_net in self.blacklist:
if ip_addr in black_net:
return False
# 然后检查白名单
for white_net in self.whitelist:
if ip_addr in white_net:
return True
# 默认策略
return self.default_policy == "allow"
except ValueError:
return False # 无效IP地址默认拒绝
def bulk_load_whitelist(self, ip_list: List[str]) -> int:
"""批量加载白名单"""
success_count = 0
for ip_range in ip_list:
if self.add_to_whitelist(ip_range):
success_count += 1
return success_count
def clear_lists(self):
"""清空所有列表"""
self.whitelist.clear()
self.blacklist.clear()
self.is_allowed.cache_clear()
高级功能:CIDR范围匹配优化
class CIDROptimizer:
"""CIDR范围优化器,减少规则数量"""
@staticmethod
def optimize_cidr_list(networks: List[ipaddress.IPv4Network]) -> List[ipaddress.IPv4Network]:
"""优化CIDR列表,合并相邻网络"""
if not networks:
return []
# 按网络地址排序
sorted_networks = sorted(networks, key=lambda x: (x.network_address, x.prefixlen))
optimized = []
current_net = sorted_networks[0]
for next_net in sorted_networks[1:]:
try:
# 尝试合并网络
supernet = current_net.supernet()
if next_net.subnet_of(supernet):
current_net = supernet
else:
optimized.append(current_net)
current_net = next_net
except ValueError:
optimized.append(current_net)
current_net = next_net
optimized.append(current_net)
return optimized
@staticmethod
def cidr_to_ip_range(cidr: str) -> tuple:
"""将CIDR转换为IP范围"""
network = ipaddress.ip_network(cidr)
return (int(network.network_address), int(network.broadcast_address))
集成Tiny-Universe的完整解决方案
Flask中间件实现
from flask import request, jsonify
import time
class IPAccessMiddleware:
"""Flask IP访问控制中间件"""
def __init__(self, app, ip_controller):
self.app = app
self.ip_controller = ip_controller
self.app.before_request(self.check_ip_access)
def check_ip_access(self):
"""检查IP访问权限"""
client_ip = self._get_client_ip()
if not self.ip_controller.is_allowed(client_ip):
return jsonify({
"error": "Access denied",
"message": "Your IP address is not allowed to access this service",
"timestamp": time.time(),
"ip": client_ip
}), 403
def _get_client_ip(self) -> str:
"""获取客户端真实IP"""
if request.headers.get('X-Forwarded-For'):
ip = request.headers['X-Forwarded-For'].split(',')[0]
elif request.headers.get('X-Real-IP'):
ip = request.headers['X-Real-IP']
else:
ip = request.remote_addr
return ip.strip()
# 使用示例
def create_app():
app = Flask(__name__)
ip_controller = IPAccessControl()
# 加载默认规则
ip_controller.add_to_whitelist("192.168.1.0/24")
ip_controller.add_to_whitelist("10.0.0.0/8")
ip_controller.add_to_blacklist("203.0.113.0/24")
# 注册中间件
IPAccessMiddleware(app, ip_controller)
return app
FastAPI集成方案
from fastapi import FastAPI, Request, HTTPException
from fastapi.middleware import Middleware
from fastapi.middleware import Middleware
from starlette.middleware import Middleware as StarletteMiddleware
class IPAccessMiddleware:
"""FastAPI IP访问控制中间件"""
def __init__(self, app, ip_controller):
self.app = app
self.ip_controller = ip_controller
async def __call__(self, scope, receive, send):
if scope["type"] == "http":
request = Request(scope, receive)
client_ip = self._get_client_ip(request)
if not self.ip_controller.is_allowed(client_ip):
response = JSONResponse(
status_code=403,
content={
"error": "Access denied",
"message": "IP address not allowed",
"ip": client_ip
}
)
await response(scope, receive, send)
return
await self.app(scope, receive, send)
def _get_client_ip(self, request: Request) -> str:
"""获取客户端真实IP"""
if "x-forwarded-for" in request.headers:
ip = request.headers["x-forwarded-for"].split(",")[0]
else:
ip = request.client.host
return ip.strip()
性能优化与最佳实践
缓存策略设计
import redis
import json
from datetime import timedelta
class RedisIPCache:
"""Redis缓存管理器"""
def __init__(self, redis_url="redis://localhost:6379/0"):
self.redis_client = redis.from_url(redis_url)
self.cache_prefix = "ip_access:"
self.cache_ttl = 300 # 5分钟
def get_cached_result(self, ip: str) -> bool:
"""获取缓存结果"""
cache_key = f"{self.cache_prefix}{ip}"
cached = self.redis_client.get(cache_key)
return bool(int(cached)) if cached else None
def set_cached_result(self, ip: str, allowed: bool):
"""设置缓存结果"""
cache_key = f"{self.cache_prefix}{ip}"
self.redis_client.setex(
cache_key,
timedelta(seconds=self.cache_ttl),
int(allowed)
)
def bulk_cache_results(self, ip_results: dict):
"""批量缓存结果"""
pipeline = self.redis_client.pipeline()
for ip, allowed in ip_results.items():
cache_key = f"{self.cache_prefix}{ip}"
pipeline.setex(cache_key, self.cache_ttl, int(allowed))
pipeline.execute()
高性能匹配算法
import bisect
class IPRangeMatcher:
"""基于范围的高性能IP匹配器"""
def __init__(self):
self.whitelist_ranges = [] # (start_ip, end_ip) 元组列表
self.blacklist_ranges = []
def add_range(self, cidr: str, list_type: str):
"""添加CIDR范围"""
network = ipaddress.ip_network(cidr)
start_ip = int(network.network_address)
end_ip = int(network.broadcast_address)
range_tuple = (start_ip, end_ip)
if list_type == "whitelist":
bisect.insort(self.whitelist_ranges, range_tuple)
else:
bisect.insort(self.blacklist_ranges, range_tuple)
def is_in_ranges(self, ip_str: str, ranges: list) -> bool:
"""检查IP是否在范围内"""
try:
ip_int = int(ipaddress.ip_address(ip_str))
# 使用二分查找优化性能
index = bisect.bisect_right(ranges, (ip_int, float('inf'))) - 1
if index >= 0:
start, end = ranges[index]
return start <= ip_int <= end
return False
except ValueError:
return False
def is_allowed(self, ip_str: str) -> bool:
"""检查IP访问权限"""
# 先检查黑名单
if self.is_in_ranges(ip_str, self.blacklist_ranges):
return False
# 再检查白名单
if self.whitelist_ranges and not self.is_in_ranges(ip_str, self.whitelist_ranges):
return False
return True
监控与日志系统
结构化日志记录
import logging
import json
from datetime import datetime
class IPAccessLogger:
"""IP访问日志记录器"""
def __init__(self, log_file="ip_access.log"):
self.logger = logging.getLogger("ip_access")
self.logger.setLevel(logging.INFO)
# 文件处理器
file_handler = logging.FileHandler(log_file)
file_handler.setFormatter(logging.Formatter('%(message)s'))
self.logger.addHandler(file_handler)
def log_access(self, ip: str, allowed: bool, path: str, user_agent: str):
"""记录访问日志"""
log_entry = {
"timestamp": datetime.utcnow().isoformat(),
"ip": ip,
"allowed": allowed,
"path": path,
"user_agent": user_agent,
"action": "allowed" if allowed else "denied"
}
self.logger.info(json.dumps(log_entry))
def log_bulk_access(self, access_data: list):
"""批量记录访问日志"""
for data in access_data:
self.log_access(**data)
实时监控仪表板
安全最佳实践
防御策略矩阵
| 异常类型 | 防御措施 | 实现方案 |
|---|---|---|
| IP欺骗 | 多级IP验证 | X-Forwarded-For + TCP指纹 |
| 异常流量 | 速率限制 | Token Bucket算法 |
| 扫描探测 | 行为分析 | 请求频率监控 |
| 代理绕过 | 深度检测 | User-Agent验证 |
动态规则更新API
from flask import Blueprint, request, jsonify
import threading
ip_api = Blueprint('ip_api', __name__)
@ip_api.route('/api/ip/whitelist', methods=['POST'])
def add_whitelist():
"""动态添加白名单"""
data = request.get_json()
ip_ranges = data.get('ranges', [])
success_count = 0
failed_ranges = []
for ip_range in ip_ranges:
if ip_controller.add_to_whitelist(ip_range):
success_count += 1
else:
failed_ranges.append(ip_range)
return jsonify({
"success": success_count,
"failed": failed_ranges,
"total_whitelist_rules": len(ip_controller.whitelist)
})
@ip_api.route('/api/ip/blacklist', methods=['POST'])
def add_blacklist():
"""动态添加黑名单"""
data = request.get_json()
ip_ranges = data.get('ranges', [])
reason = data.get('reason', '')
success_count = 0
for ip_range in ip_ranges:
if ip_controller.add_to_blacklist(ip_range):
success_count += 1
# 记录安全事件
security_logger.log_blacklist_add(ip_range, reason)
return jsonify({"added": success_count})
@ip_api.route('/api/ip/stats', methods=['GET'])
def get_stats():
"""获取IP访问统计"""
stats = {
"whitelist_rules": len(ip_controller.whitelist),
"blacklist_rules": len(ip_controller.blacklist),
"total_requests": access_stats.total_requests,
"blocked_requests": access_stats.blocked_requests,
"block_rate": access_stats.block_rate
}
return jsonify(stats)
部署与运维指南
Docker容器化部署
FROM python:3.9-slim
WORKDIR /app
COPY requirements.txt .
RUN pip install -r requirements.txt
COPY . .
COPY ip_rules.json /etc/ip-access/rules.json
ENV REDIS_URL=redis://redis:6379/0
ENV DEFAULT_POLICY=deny
EXPOSE 8000
CMD ["gunicorn", "app:app", "-b", "0.0.0.0:8000", "-w", "4"]
Kubernetes配置示例
apiVersion: apps/v1
kind: Deployment
metadata:
name: tiny-universe-ip-filter
spec:
replicas: 3
template:
spec:
containers:
- name: ip-filter
image: tiny-universe-ip-filter:latest
env:
- name: REDIS_URL
value: "redis://redis-service:6379/0"
- name: RULES_CONFIGMAP
value: "ip-rules-config"
volumeMounts:
- name: ip-rules
mountPath: /etc/ip-access
volumes:
- name: ip-rules
configMap:
name: ip-rules-config
---
apiVersion: v1
kind: ConfigMap
metadata:
name: ip-rules-config
data:
whitelist: |
192.168.0.0/16
10.0.0.0/8
blacklist: |
203.0.113.0/24
198.51.100.0/24
性能基准测试
测试环境配置
| 参数 | 配置值 |
|---|---|
| CPU | 4核心 Intel Xeon |
| 内存 | 8GB DDR |
创作声明:本文部分内容由AI辅助生成(AIGC),仅供参考
