Simple IP whitelisting #1663
-
|
Would like to restrict access to a given Route/Destination by the IP of the request. Basically deny if it didn't come from a specific server. I see how to do this with a custom scheme in aspnet middleware, was curious if there was an OOB way to do this using yarp config. |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 7 replies
-
|
I don't think there's any built-in IP-based routing support in ASP.NET Core. A quick search shows that the https://github.com/dustinmoris/Firewall package may be what you are looking for to easily add this as a middleware. |
Beta Was this translation helpful? Give feedback.
-
|
I am using this in my YARP proxy. Their rules engine works quite well but I had to customize it a bit to get it to fit with my YARP needs. For starters I needed a way to create rules from configuration which they don't really have. Then I wrote my own Middleware (based on theirs) that works with custom route/endpoint Metadata to decide which firewall rules to apply on the fly. All-in-all I'm happy with how it turned out. Depending on your needs it's possible it could work right out of the box. I'd suggest taking a look at it. |
Beta Was this translation helpful? Give feedback.
-
|
We came up with a solution by handling a route match on X-FORWARDED-header + route since all traffic comes through our network appliances upstream beforehand. I'd be curious at peeking at the middleware you created though |
Beta Was this translation helpful? Give feedback.
-
|
I had hope that: |
Beta Was this translation helpful? Give feedback.
-
|
Right, the host is Yarp in this case. |
Beta Was this translation helpful? Give feedback.
-
|
so what good is that config setting? |
Beta Was this translation helpful? Give feedback.
-
That config setting is so you can have two routes to /foo, one for www.aaaaa.com, and the other for www.bbbbb.com, which could go to different destinations. |
Beta Was this translation helpful? Give feedback.
-
|
This probably need to be handled by a custom YARP middleware in the proxy. Use the Metadata feature of config to add your own allow list for IP addresses for each route. In the middleware, you can access the route for each request, see if it has that metadata and if so then check the source IP against that data. |
Beta Was this translation helpful? Give feedback.
-
|
Duplicate of #1707 |
Beta Was this translation helpful? Give feedback.
-
|
@chrisrestall can you please upvote the linked duplicate? That will help us prioritize it in future. Thanks! |
Beta Was this translation helpful? Give feedback.
-
|
Done! |
Beta Was this translation helpful? Give feedback.
Duplicate of #1707