This article shows how a client white-list could be implemented using ASP.NET Core middleware checking the Remote IP address of the request. If the client IP is on the white-list, no restrictions exist.
Code: https://github.com/damienbod/ClientIpAspNetCoreIIS
The middleware uses an admin white-list parameter from the constructor to compare with the remote ip address from the HttpContext Connection property. This is different to previous versions of .NET. In the example, all GET requests are allowed. If any other request method is used, the remote IP is used to check if it exists in the white-list. If it does not exist, a 403 is returned.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Logging;
namespace ClientIpAspNetCore
{
public class AdminWhiteListMiddleware
{
private readonly RequestDelegate _next;
private readonly ILogger<AdminWhiteListMiddleware> _logger;
private readonly string _adminWhiteList;
public AdminWhiteListMiddleware(RequestDelegate next, ILogger<AdminWhiteListMiddleware> logger, string adminWhiteList)
{
_adminWhiteList = adminWhiteList;
_next = next;
_logger = logger;
}
public async Task Invoke(HttpContext context)
{
if (context.Request.Method != "GET")
{
var remoteIp = context.Connection.RemoteIpAddress;
_logger.LogInformation($"Request from Remote IP address: {remoteIp}");
string[] ip = _adminWhiteList.Split(';');
if (!ip.Any(option => option == remoteIp.ToString()))
{
_logger.LogInformation($"Forbidden Request from Remote IP address: {remoteIp}");
context.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return;
}
}
await _next.Invoke(context);
}
}
}
The white-list is configured in the appsettings.config. This is a ‘;’ separated list which is split in the middleware class.
{
"AdminWhiteList": "127.0.0.1;192.168.1.5",
"Logging": {
"IncludeScopes": false,
"LogLevel": {
"Default": "Debug",
"System": "Information",
"Microsoft": "Information"
}
}
}
In the startup class, the AdminWhiteListMiddleware type is added using the appsettings configuration.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
...
app.UseStaticFiles();
app.UseMiddleware<AdminWhiteListMiddleware>(Configuration["AdminWhiteList"]);
app.UseMvc();
}
If a request is sent, other that a GET method, and it is not in the white-list, the 403 response is returned to the client and logged.
2016-12-18 16:45:42.8891|0|ClientIpAspNetCore.AdminWhiteListMiddleware|INFO| Request from Remote IP address: 192.168.1.4 2016-12-18 16:45:42.9031|0|ClientIpAspNetCore.AdminWhiteListMiddleware|INFO| Forbidden Request from Remote IP address: 192.168.1.4
An ActionFilter could also be used to implement this, for example if more specific logic is required.
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc.Authorization;
using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.Extensions.Logging;
namespace ClientIpAspNetCore.Filters
{
public class ClientIdCheckFilter : ActionFilterAttribute
{
private readonly ILogger _logger;
public ClientIdCheckFilter(ILoggerFactory loggerFactory)
{
_logger = loggerFactory.CreateLogger("ClassConsoleLogActionOneFilter");
}
public override void OnActionExecuting(ActionExecutingContext context)
{
_logger.LogInformation($"Remote IpAddress: {context.HttpContext.Connection.RemoteIpAddress}");
// TODO implement some business logic for this...
base.OnActionExecuting(context);
}
}
}
The ActionFilter can be added to the services.
public void ConfigureServices(IServiceCollection services)
{
services.AddScoped<ClientIdCheckFilter>();
services.AddMvc();
}
And can be used specifically on any controller as required.
[ServiceFilter(typeof(ClientIdCheckFilter))]
[Route("api/[controller]")]
public class ValuesController : Controller
Note: I have not tested this with all the different possible hops, forward headers. Only tested with IIS and kestrel.
Links:
https://docs.microsoft.com/en-us/aspnet/core/fundamentals/middleware
