/// <summary>
/// Filters an incoming HTTP request based on the configured rules engine.
/// </summary>
public Task Invoke(HttpContext context)
{
return
(_ruleEngine.IsAllowed(context)
? _next.Invoke(context)
: DenyAccess(context));
}
public bool VerifyIPEndPoint(IPAddress address)
{
InitFirewallRules();
var httpContext = new DefaultHttpContext();
httpContext.Connection.RemoteIpAddress = address;
var result = _firewallRule.IsAllowed(httpContext);
if (result)
{
return(true);
}
if (address.IsIPv4MappedToIPv6)
{
httpContext.Connection.RemoteIpAddress = address.MapToIPv4();
return(_firewallRule.IsAllowed(httpContext));
}
return(false);
}
/// <summary>
/// Denotes whether a given <see cref="HttpContext"/> is permitted to access the web server.
/// </summary>
public bool IsAllowed(HttpContext context)
{
var remoteIpAddress = context.Connection.RemoteIpAddress;
var(isAllowed, ip) = MatchesAnyIPAddress(remoteIpAddress);
context.LogDebug(
typeof(IPAddressRule),
isAllowed,
isAllowed
? $"it matched '{ip}'"
: "it didn't match any known IP address");
return(isAllowed || _nextRule.IsAllowed(context));
}
/// <summary>
/// Denotes whether a given <see cref="HttpContext"/> is permitted to access the web server.
/// </summary>
public bool IsAllowed(HttpContext context)
{
var remoteIpAddress = context.Connection.RemoteIpAddress;
var(isAllowed, cidr) = MatchesAnyIPAddressRange(remoteIpAddress);
context.LogDebug(
typeof(IPAddressRangeRule),
isAllowed,
isAllowed
? $"it belongs to '{cidr}' address range"
: "it didn't belong to any known address range");
return(isAllowed || _nextRule.IsAllowed(context));
}
/// <summary>
/// Denotes whether a given <see cref="HttpContext"/> is permitted to access the web server.
/// </summary>
public bool IsAllowed(HttpContext context)
{
IPAddress remoteIpAddress;
if (IPAddress.TryParse(context.Request.Headers[_reverseProxyHeader], out remoteIpAddress))
{
var(isClientIPAllowed, ip) = MatchesAnyIPAddress(remoteIpAddress, _allowedClientIPAddresses);
var(isReversProxyIPValid, _) = MatchesAnyIPAddress(context.Connection.RemoteIpAddress, _reverseProxyIPAddresses); // the ip addresses of the reverse proxy
var(isReversProxyIPInCIDR, _) = MatchesAnyIPAddressRange(context.Connection.RemoteIpAddress, _reverseProxyCIDRs); // the ip addresses of the reverse proxy
context.LogDebug(
typeof(IPAddressRule),
isClientIPAllowed,
isClientIPAllowed
? "it matched '{ipAddress}'"
: "it didn't match any known IP address",
ip);
return((isClientIPAllowed && (isReversProxyIPValid || isReversProxyIPInCIDR)) || _nextRule.IsAllowed(context));
}
else
{
context.Log(Microsoft.Extensions.Logging.LogLevel.Error,
typeof(ReverseProxyClientIPAddressRule),
"Invalid reverse proxy header '{_reverseProxyHeader}' or unable to parse remote ip : " + context.Request.Headers[_reverseProxyHeader],
_reverseProxyHeader);
return(false);
}
}
/// <summary>
/// Denotes whether a given <see cref="HttpContext"/> is permitted to access the web server.
/// </summary>
public bool IsAllowed(HttpContext context)
{
return(_filter(context) || _nextRule.IsAllowed(context));
}
/// <summary>
/// Denotes whether a given <see cref="HttpContext"/> is permitted to access the web server based on the client ip and requested host name.
/// </summary>
public bool IsAllowed(HttpContext context)
{
var remoteIpAddress = context.Connection.RemoteIpAddress;
var(isAllowed, ip) = MatchesAnyIPAddress(remoteIpAddress);
context.LogDebug(
typeof(IPAddressRule),
isAllowed,
isAllowed
? "it matched '{ipAddress}'"
: "it didn't match any known IP address",
ip);
//ip is valid and the hostname is matching, or check next rule
return((isAllowed && context.Request.Host.ToString().ToLower().Contains(_hostNamePartial.ToLower())) || _nextRule.IsAllowed(context));
}