When working with Firebase (Firebase cloud function in this case), we have to pay for every byte of bandwidth.
使用Firebase(在这种情况下使用Firebase云功能)时,我们必须为每个带宽字节付费。
So, i wonder how can we deal with case that someone who somehow find out our endpoint then continuous request intentionally (by a script or tool)?
所以,我想知道我们如何才能处理那些以某种方式找到我们的端点然后故意(通过脚本或工具)连续请求的情况?
I did some search on the internet but don't see anything can help. Except for this one but not really useful.
我在互联网上做了一些搜索,但没有看到任何可以帮助。除了这个,但没有真正有用。
2 个解决方案
#1
6
Since you didn't specify which type of request, I'm going to assume that you mean http(s)-triggers on firebase cloud functions.
由于您没有指定哪种类型的请求,我将假设您的意思是firebase云功能上的http(s)-triggers。
There are multiple limiters you can put in place to 'reduce' the bandwidth consumed by the request. I'll write a few that comes to my mind
您可以使用多个限制器来“减少”请求所消耗的带宽。我会写一些我想到的东西
1) Limit the type of requests
1)限制请求的类型
If all you need is GET and say for example you don't need PUT you can start off by returning a 403 for those, before you go any further in your cloud function.
如果您只需要GET并说例如您不需要PUT,那么您可以先启动403,然后再进一步使用云功能。
if (req.method === 'PUT') { res.status(403).send('Forbidden!'); }
2) Authenticate if you can
2)如果可以,请进行身份验证
Follow Google's example here and allow only authorized users to use your https endpoints. You can simply achieve this by verifying tokens like this SOF answer to this question.
在此处按照Google的示例,仅允许授权用户使用您的https端点。您可以通过验证此SOF回答此问题的令牌来实现此目的。
3) Check for origin
3)检查原产地
You can try checking for the origin of the request before going any further in your cloud function. If I recall correctly, cloud functions give you full access to the HTTP Request/Response objects so you can set the appropriate CORS headers and respond to pre-flight OPTIONS requests.
您可以尝试在云功能中进一步检查请求的来源。如果我没记错的话,云功能可以让您完全访问HTTP请求/响应对象,这样您就可以设置相应的CORS标头并响应飞行前的OPTIONS请求。
Experimental Idea 1
实验理念1
You can hypothetically put your functions behind a load balancer / firewall, and relay-trigger them. It would more or less defeat the purpose of cloud functions' scalable nature, but if a form of DoS is a bigger concern for you than scalability, then you could try creating an app engine relay, put it behind a load balancer / firewall and handle the security at that layer.
您可以假设将您的功能置于负载均衡器/防火墙之后,并中继触发它们。它或多或少会破坏云功能可扩展性的目的,但如果一种形式的DoS比扩展性更重要,那么您可以尝试创建一个应用引擎中继,将其置于负载均衡器/防火墙后面并处理该层的安全性。
Experimental Idea 2
实验理念2
You can try using DNS level attack-prevention solutions to your problem by putting something like cloudflare in between. Use a CNAME, and Cloudflare Page Rules to map URLs to your cloud functions. This could hypothetically absorb the impact. Like this :
您可以通过在其间放置类似cloudflare的内容来尝试使用DNS级攻击防范解决方案来解决您的问题。使用CNAME和Cloudflare页面规则将URL映射到您的云功能。这可能会假设吸收这种影响。喜欢这个 :
*function1.mydomain.com/* -> https://us-central1-etc-etc-etc.cloudfunctions.net/function1/$2
* function1.mydomain.com / * - > https://us-central1-etc-etc-etc.cloudfunctions.net/function1/$2
Now if you go to
现在,如果你去
http://function1.mydomain.com/?something=awesome
http://function1.mydomain.com/?something=awesome
you can even pass the URL params to your functions. A tactic which I've read about in this medium article during the summer when I needed something similar.
你甚至可以将URL参数传递给你的函数。在夏天,当我需要类似的东西时,我在这篇中篇文章中读过的一个策略。
Finally
最后
In an attempt to make the questions on SOF more linked, and help everyone find answers, here's another question I found that's similar in nature. Linking here so that others can find it as well.
为了让关于SOF的问题更加紧密,并帮助每个人找到答案,我发现这是另一个问题,性质相似。链接在这里,以便其他人也可以找到它。
#2
1
There is a solution for this problem where you can verify the https endpoint.
有一个解决此问题的方法,您可以在其中验证https端点。
Only users who pass a valid Firebase ID token as a Bearer token in the Authorization header of the HTTP request or in a __session cookie are authorized to use the function.
只有在HTTP请求的Authorization标头或__session cookie中传递有效Firebase ID令牌作为Bearer令牌的用户才有权使用该功能。
Checking the ID token is done with an ExpressJs middleware that also passes the decoded ID token in the Express request object.
使用ExpressJs中间件检查ID令牌,该中间件还传递Express请求对象中的解码ID令牌。
Check this sample code from firebase.
从firebase中检查此示例代码。
#1
6
Since you didn't specify which type of request, I'm going to assume that you mean http(s)-triggers on firebase cloud functions.
由于您没有指定哪种类型的请求,我将假设您的意思是firebase云功能上的http(s)-triggers。
There are multiple limiters you can put in place to 'reduce' the bandwidth consumed by the request. I'll write a few that comes to my mind
您可以使用多个限制器来“减少”请求所消耗的带宽。我会写一些我想到的东西
1) Limit the type of requests
1)限制请求的类型
If all you need is GET and say for example you don't need PUT you can start off by returning a 403 for those, before you go any further in your cloud function.
如果您只需要GET并说例如您不需要PUT,那么您可以先启动403,然后再进一步使用云功能。
if (req.method === 'PUT') { res.status(403).send('Forbidden!'); }
2) Authenticate if you can
2)如果可以,请进行身份验证
Follow Google's example here and allow only authorized users to use your https endpoints. You can simply achieve this by verifying tokens like this SOF answer to this question.
在此处按照Google的示例,仅允许授权用户使用您的https端点。您可以通过验证此SOF回答此问题的令牌来实现此目的。
3) Check for origin
3)检查原产地
You can try checking for the origin of the request before going any further in your cloud function. If I recall correctly, cloud functions give you full access to the HTTP Request/Response objects so you can set the appropriate CORS headers and respond to pre-flight OPTIONS requests.
您可以尝试在云功能中进一步检查请求的来源。如果我没记错的话,云功能可以让您完全访问HTTP请求/响应对象,这样您就可以设置相应的CORS标头并响应飞行前的OPTIONS请求。
Experimental Idea 1
实验理念1
You can hypothetically put your functions behind a load balancer / firewall, and relay-trigger them. It would more or less defeat the purpose of cloud functions' scalable nature, but if a form of DoS is a bigger concern for you than scalability, then you could try creating an app engine relay, put it behind a load balancer / firewall and handle the security at that layer.
您可以假设将您的功能置于负载均衡器/防火墙之后,并中继触发它们。它或多或少会破坏云功能可扩展性的目的,但如果一种形式的DoS比扩展性更重要,那么您可以尝试创建一个应用引擎中继,将其置于负载均衡器/防火墙后面并处理该层的安全性。
Experimental Idea 2
实验理念2
You can try using DNS level attack-prevention solutions to your problem by putting something like cloudflare in between. Use a CNAME, and Cloudflare Page Rules to map URLs to your cloud functions. This could hypothetically absorb the impact. Like this :
您可以通过在其间放置类似cloudflare的内容来尝试使用DNS级攻击防范解决方案来解决您的问题。使用CNAME和Cloudflare页面规则将URL映射到您的云功能。这可能会假设吸收这种影响。喜欢这个 :
*function1.mydomain.com/* -> https://us-central1-etc-etc-etc.cloudfunctions.net/function1/$2
* function1.mydomain.com / * - > https://us-central1-etc-etc-etc.cloudfunctions.net/function1/$2
Now if you go to
现在,如果你去
http://function1.mydomain.com/?something=awesome
http://function1.mydomain.com/?something=awesome
you can even pass the URL params to your functions. A tactic which I've read about in this medium article during the summer when I needed something similar.
你甚至可以将URL参数传递给你的函数。在夏天,当我需要类似的东西时,我在这篇中篇文章中读过的一个策略。
Finally
最后
In an attempt to make the questions on SOF more linked, and help everyone find answers, here's another question I found that's similar in nature. Linking here so that others can find it as well.
为了让关于SOF的问题更加紧密,并帮助每个人找到答案,我发现这是另一个问题,性质相似。链接在这里,以便其他人也可以找到它。
#2
1
There is a solution for this problem where you can verify the https endpoint.
有一个解决此问题的方法,您可以在其中验证https端点。
Only users who pass a valid Firebase ID token as a Bearer token in the Authorization header of the HTTP request or in a __session cookie are authorized to use the function.
只有在HTTP请求的Authorization标头或__session cookie中传递有效Firebase ID令牌作为Bearer令牌的用户才有权使用该功能。
Checking the ID token is done with an ExpressJs middleware that also passes the decoded ID token in the Express request object.
使用ExpressJs中间件检查ID令牌,该中间件还传递Express请求对象中的解码ID令牌。
Check this sample code from firebase.
从firebase中检查此示例代码。