Asp.Net Core中的IP安全性

Question

我试图通过IP地址限制网站.在以前的MVC版本中,我会在web.config中添加如下内容:

<security>
  <ipSecurity allowUnlisted="false" denyAction="NotFound">
    <add allowed="true" ipAddress="XX.XX.XX.XX" subnetMask="255.255.255.0"/>
  </ipSecurity>
</security>

但是将此添加到AspNetCore项目会导致应用程序在启动时因错误而失败

无法启动进程Web服务器请求失败,状态码为500,内部服务器错误

显然我打破了配置,因为它不再在这里处理了.该错误产生一个HttpFailure日志,如下所示:

什么是现在处理这个问题的最好方法,内置或其他方式

Answer 1

Damian Bod撰写了一篇博客文章,演示如何实现中间件来处理IP白名单.

他举例说明了全局中间件或动作过滤器.

无论哪种方式,您都需要为您添加允许的IP地址appsettings.json,并根据它们检查客户端IP地址.

客户端IP地址可通过HttpContext(例如context.Connection.RemoteIpAddress)获得.

如果要将IP地址范围列入白名单,则可以使用Nuget包IPAddressRange,它支持各种格式,如"192.168.0.0/24"和"192.168.0.0/255.255.255.0",包括CIDR表达式和IPv6.

以下是如何在过滤器中执行此操作的示例:

appsettings.json:

{
  "IPAddressWhitelistConfiguration": {
    "AuthorizedIPAddresses": [
      "::1", // IPv6 localhost
      "127.0.0.1", // IPv4 localhost
      "192.168.0.0/16", // Local network
      "10.0.0.0/16", // Local network
    ]
  }
}

IPWhiteListConfiguration.cs:

namespace My.Web.Configuration
{
    using System.Collections.Generic;

    public class IPWhitelistConfiguration : IIPWhitelistConfiguration
    {
        public IEnumerable<string> AuthorizedIPAddresses { get; set; }
    }
}

IIPWhiteListConfiguration.cs:

namespace My.Web.Configuration
{
    using System.Collections.Generic;

    public interface IIPWhitelistConfiguration
    {
        IEnumerable<string> AuthorizedIPAddresses { get; }
    }
}

Startup.cs:

public class Startup
{
    // ...
    public void ConfigureServices(IServiceCollection services)
    {
        // ...
        services.Configure<IPWhitelistConfiguration>(
           this.Configuration.GetSection("IPAddressWhitelistConfiguration"));
        services.AddSingleton<IIPWhitelistConfiguration>(
            resolver => resolver.GetRequiredService<IOptions<IPWhitelistConfiguration>>().Value);
        // ...
    }
 }

ClientIPAddressFilterAttribute.cs:

namespace My.Web.Filters
{
    using System.Collections.Generic;
    using System.Linq;
    using System.Net;
    using Microsoft.AspNetCore.Mvc;
    using Microsoft.AspNetCore.Mvc.Filters;
    using NetTools;
    using My.Web.Configuration;

    public class ClientIPAddressFilterAttribute : ActionFilterAttribute
    {
        private readonly IEnumerable<IPAddressRange> authorizedRanges;

        public ClientIPAddressFilterAttribute(IIPWhitelistConfiguration configuration)
        {
            this.authorizedRanges = configuration.AuthorizedIPAddresses
                .Select(item => IPAddressRange.Parse(item));
        }

        public override void OnActionExecuting(ActionExecutingContext context)
        {
            var clientIPAddress = context.HttpContext.Connection.RemoteIpAddress;
            if (!this.authorizedRanges.Any(range => range.Contains(clientIPAddress)))
            {
                context.Result = new UnauthorizedResult();
            }
        }
    }

Answer 2

我需要类似的东西，除了“安全列出”单个 IP 地址对我来说还不够好，因为我必须通过 CIDR 表示法（对于 Cloudflare）启用整个范围的 IP 地址。我昨天写了一篇关于它的博客，但简而言之，您可以安装防火墙 NuGet 包，然后像这样配置 IP 过滤器设置：

namespace BasicApp
{
    public class Startup
    {
        public void Configure(IApplicationBuilder app)
        {
            var allowedIPs =
                new List<IPAddress>
                    {
                        IPAddress.Parse("10.20.30.40"),
                        IPAddress.Parse("1.2.3.4"),
                        IPAddress.Parse("5.6.7.8")
                    };

            var allowedCIDRs =
                new List<CIDRNotation>
                    {
                        CIDRNotation.Parse("110.40.88.12/28"),
                        CIDRNotation.Parse("88.77.99.11/8")
                    };

            app.UseFirewall(
                FirewallRulesEngine
                    .DenyAllAccess()
                    .ExceptFromIPAddressRanges(allowedCIDRs)
                    .ExceptFromIPAddresses(allowedIPs));

            app.Run(async (context) =>
            {
                await context.Response.WriteAsync("Hello World!");
            });
        }
    }
}