public async Task Firewall_With_Single_VIP_And_Request_With_Invalid_IP_Returns_AccessDenied()
{
var isSuccess = false;
var allowedIpAddress = IPAddress.Parse("12.34.56.78");
var allowedIpAddresses = new List <IPAddress> {
allowedIpAddress
};
var firewall = new FirewallMiddleware(
async(innerCtx) =>
{
isSuccess = true;
await innerCtx.Response.WriteAsync("Success!");
},
FirewallRulesEngine
.DenyAllAccess()
.ExceptFromIPAddresses(allowedIpAddresses),
logger: null);
var httpContext = new DefaultHttpContext();
httpContext.Connection.RemoteIpAddress = IPAddress.Parse("10.99.99.99");
await firewall.Invoke(httpContext);
Assert.Equal(StatusCodes.Status403Forbidden, httpContext.Response.StatusCode);
Assert.False(isSuccess);
}
public async Task Firewall_With_Single_CIDR_And_Request_With_Invalid_IP_Returns_AccessDenied()
{
var isSuccess = false;
var allowedIpAddress = IPAddress.Parse("174.74.115.210");
var cidrNotations = new List <CIDRNotation> {
CIDRNotation.Parse("174.74.115.192/28")
};
var firewall = new FirewallMiddleware(
async(innerCtx) =>
{
isSuccess = true;
await innerCtx.Response.WriteAsync("Success!");
},
FirewallRulesEngine
.DenyAllAccess()
.ExceptFromIPAddressRanges(cidrNotations),
logger: null);
var httpContext = new DefaultHttpContext();
httpContext.Connection.RemoteIpAddress = allowedIpAddress;
await firewall.Invoke(httpContext);
Assert.Equal(StatusCodes.Status403Forbidden, httpContext.Response.StatusCode);
Assert.False(isSuccess);
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseSwagger();
app.UseSwaggerUI(c =>
{
c.SwaggerEndpoint("/swagger/v1/swagger.json", "My API V1");
});
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
app.UseFirewall(
FirewallRulesEngine
.DenyAllAccess()
.ExceptFromLocalhost()
.ExceptFromIPAddresses(new List <IPAddress>()
{
IPAddress.Parse("127.0.0.1")
}));
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseStatusCodePages();
app.UseHttpsRedirection();
app.UseRouting();
app.UseFirewall(FirewallRulesEngine.DenyAllAccess().ExceptFromIPAddresses(new List <IPAddress> {
IPAddress.Parse("1.1.1.1")
}).ExceptFromLocalhost());
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
public void Configure(IApplicationBuilder app)
{
var allowedIPs =
new List <IPAddress>
{
IPAddress.Parse("10.20.30.40"),
IPAddress.Parse("1.2.3.4"),
IPAddress.Parse("5.6.7.8")
};
var allowedCIDRs =
new List <CIDRNotation>
{
CIDRNotation.Parse("110.40.88.12/28"),
CIDRNotation.Parse("88.77.99.11/8")
};
app.UseFirewall(
FirewallRulesEngine
.DenyAllAccess()
.ExceptFromIPAddressRanges(allowedCIDRs)
.ExceptFromIPAddresses(allowedIPs));
app.Run(async(context) =>
{
await context.Response.WriteAsync("Hello World!");
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseSwagger();
app.UseSwaggerUI(c => c.SwaggerEndpoint(url: "/swagger/v1/swagger.json", name: "TransactionStore.API V1"));
app.UseFirewall(
FirewallRulesEngine
.DenyAllAccess()
.ExceptFromLocalhost()
.ExceptFromIPAddresses(AllowedIPs.authorizedIPs));
app.UseStaticFiles();
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
private void InitFirewallRules()
{
_firewallRule = FirewallRulesEngine.DenyAllAccess();
if (_allow_cidrs != null && _allow_cidrs.Any())
{
_firewallRule = _firewallRule.ExceptFromIPAddressRanges(_allow_cidrs.ToList());
}
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
app.UseForwardedHeaders(
new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor,
ForwardLimit = 1
}
);
// Register Firewall after error handling and forwarded headers,
// but before other middleware:
var allowedIPAddresses =
new List <IPAddress>
{
IPAddress.Parse("10.20.30.40"),
IPAddress.Parse("1.2.3.4"),
IPAddress.Parse("5.6.7.8")
};
var allowedIPAddressRanges =
new List <CIDRNotation>
{
CIDRNotation.Parse("110.40.88.12/28"),
CIDRNotation.Parse("88.77.99.11/8")
};
app.UseFirewall(
FirewallRulesEngine
.DenyAllAccess()
.ExceptFromCountries(new [] { CountryCode.FK })
.ExceptFromIPAddressRanges(allowedIPAddressRanges)
.ExceptFromIPAddresses(allowedIPAddresses)
.ExceptFromCloudflare()
.ExceptFromLocalhost(),
accessDeniedDelegate:
ctx =>
{
ctx.Response.StatusCode = StatusCodes.Status403Forbidden;
return(ctx.Response.WriteAsync("Forbidden"));
});
app.Run(async(context) =>
{
await context.Response.WriteAsync("Hello World!");
});
}
private void SetupFirewall(IApplicationBuilder app)
{
var options = new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor,
ForwardLimit = 1,
};
options.KnownNetworks.Clear();
options.KnownProxies.Clear();
app.UseForwardedHeaders(options);
var rules = FirewallRulesEngine
.DenyAllAccess()
.ExceptFromCloudflare();
app.UseFirewall(rules, ctx =>
{
ctx.Response.Redirect("https://quickclip.tk");
return(Task.CompletedTask);
});
}
public async Task Firewall_With_Multiple_IPs_And_CIDRs_And_Request_With_Invalid_IP_Returns_AccessDenied(string ip)
{
var isSuccess = false;
var allowedIpAddress = IPAddress.Parse(ip);
var allowedIpAddresses = new List <IPAddress>
{
IPAddress.Parse("1.2.3.4"),
IPAddress.Parse("10.20.30.40"),
IPAddress.Parse("50.6.70.8")
};
var cidrNotations = new List <CIDRNotation>
{
CIDRNotation.Parse("2803:f800::/32"),
CIDRNotation.Parse("2c0f:f248::/32"),
CIDRNotation.Parse("103.21.244.0/22"),
CIDRNotation.Parse("141.101.64.0/18"),
CIDRNotation.Parse("172.64.0.0/13")
};
var firewall = new FirewallMiddleware(
async(innerCtx) =>
{
isSuccess = true;
await innerCtx.Response.WriteAsync("Success!");
},
FirewallRulesEngine
.DenyAllAccess()
.ExceptFromIPAddresses(allowedIpAddresses)
.ExceptFromIPAddressRanges(cidrNotations),
logger: null);
var httpContext = new DefaultHttpContext();
httpContext.Connection.RemoteIpAddress = allowedIpAddress;
await firewall.Invoke(httpContext);
Assert.Equal(StatusCodes.Status403Forbidden, httpContext.Response.StatusCode);
Assert.False(isSuccess);
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env, ILoggerFactory loggerFactory, IServiceProvider serviceProvider)
{
app.UseMiddleware <ActivityTracingMiddleware>();
app.UseMiddleware <ResponseStatusCodeHealthCheckMiddleware>();
if (env.IsProduction())
{
app.UseFirewall(FirewallRulesEngine
.DenyAllAccess()
.ExceptFromCloudflare()
.ExceptFromLocalhost());
}
else if (env.IsDevelopment())
{
app.UseFirewall(FirewallRulesEngine
.DenyAllAccess()
.ExceptFromLocalhost());
}
app.UseResponseCompression();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseWebAssemblyDebugging();
}
else
{
app.UseExceptionHandler("/Error");
app.UseHsts();
}
if (BlogConfiguration.ServerSideHttpsRedirection)
{
app.UseHttpsRedirection();
}
if (BlogConfiguration.ClientSideHttpsRedirection)
{
app.UseMiddleware <ClientSideRedirectionMiddleware>();
}
app.UseBlazorFrameworkFiles();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseResponseCaching();
app.UseMiddleware <ResponseHeaderMiddleware>();
if (BlogConfiguration.UsePrometheusScrapingEndpoint)
{
app.UseOpenTelemetryPrometheusScrapingEndpoint();
}
app.UseEndpoints(endpoints =>
{
endpoints.MapHealthChecks("/health");
endpoints.MapRazorPages();
endpoints.MapControllers();
endpoints.MapFallbackToPage("/_Host");
endpoints.MapFallbackToPage("/Error", "/Error");
endpoints.MapFallbackToPage("/NotFound", "/NotFound");
});
ServerCertificateSelector.Instance.SetLoggerFactory(loggerFactory);
if (env.IsDevelopment() && BlogConfiguration.PersistenceLayer == PersistenceLayerType.MySql)
{
using var scope = serviceProvider.CreateScope();
var connectionFactory = scope.ServiceProvider.GetRequiredService <MySqlConnectionFactory>();
connectionFactory.EnsureTablesExists();
try
{
foreach (var row in File.ReadAllLines("dev_data.sql"))
{
if (!string.IsNullOrEmpty(row))
{
connectionFactory.Connection.Execute(row);
}
}
}
catch
{
/* seed only once */
}
}
}
