Asp.Net Core安全防御-客户端IP白名单限制

时间 2020-12-01

标签 javascript php css java typescript apache json 数组安全 ruby 栏目 ASP 繁體版

原文原文链接

前言

本篇展现了如何在ASP.NET Core应用程序中设置IP白名单验证的2种方式。javascript

你能够使用如下2种方式：php

用于检查每一个请求的远程 IP 地址的中间件。css
MVC 操做筛选器，用于检查针对特定控制器或操做方法的请求的远程 IP 地址。java

中间件

Startup.Configure方法将自定义 AdminSafeListMiddleware 中间件类型添加到应用的请求管道。使用 .NET Core 配置提供程序检索到该安全，并将其做为构造函数参数进行传递。typescript

app.UseMiddleware<AdminSafeListMiddleware>("127.0.0.1;192.168.1.5;::1");

中间件将字符串分析为数组，并在数组中搜索远程 IP 地址。若是找不到远程 IP 地址，中间件将返回 HTTP 403 禁止访问。对于 HTTP GET 请求，将跳过此验证过程。apache






public class AdminSafeListMiddleware{private readonly RequestDelegate _next;private readonly ILogger<AdminSafeListMiddleware> _logger;private readonly string _safelist;public AdminSafeListMiddleware(RequestDelegate next,ILogger<AdminSafeListMiddleware> logger,string safelist){_safelist = safelist;_next = next;_logger = logger;}public async Task Invoke(HttpContext context){if (context.Request.Method != HttpMethod.Get.Method){var remoteIp = context.Connection.RemoteIpAddress;_logger.LogDebug("Request from Remote IP address: {RemoteIp}", remoteIp);string[] ip = _safelist.Split(';');var bytes = remoteIp.GetAddressBytes();var badIp = true;foreach (var address in ip){var testIp = IPAddress.Parse(address);if (testIp.GetAddressBytes().SequenceEqual(bytes)){badIp = false;break;}}if (badIp){_logger.LogWarning("Forbidden Request from Remote IP address: {RemoteIp}", remoteIp);context.Response.StatusCode = StatusCodes.Status403Forbidden;return;}}await _next.Invoke(context);}}

操做筛选器

若是须要针对特定 MVC 控制器或操做方法的安全安全访问控制，请使用操做筛选器。例如：。json







public class ClientIpCheckActionFilter : ActionFilterAttribute{private readonly ILogger _logger;private readonly string _safelist;public ClientIpCheckActionFilter(string safelist, ILogger logger){_safelist = safelist;_logger = logger;}public override void OnActionExecuting(ActionExecutingContext context){var remoteIp = context.HttpContext.Connection.RemoteIpAddress;_logger.LogDebug("Remote IpAddress: {RemoteIp}", remoteIp);var ip = _safelist.Split(';');var badIp = true;if (remoteIp.IsIPv4MappedToIPv6){remoteIp = remoteIp.MapToIPv4();}foreach (var address in ip){var testIp = IPAddress.Parse(address);if (testIp.Equals(remoteIp)){badIp = false;break;}}if (badIp){_logger.LogWarning("Forbidden Request from IP: {RemoteIp}", remoteIp);context.Result = new StatusCodeResult(StatusCodes.Status403Forbidden);return;}base.OnActionExecuting(context);}}

在中 Startup.ConfigureServices ，将操做筛选器添加到 MVC 筛选器集合。在下面的示例中， ClientIpCheckActionFilter 添加了一个操做筛选器。安全日志和控制台记录器实例做为构造函数参数进行传递。数组

services.AddScoped<ClientIpCheckActionFilter>(container =>{var loggerFactory = container.GetRequiredService<ILoggerFactory>();var logger = loggerFactory.CreateLogger<ClientIpCheckActionFilter>();return new ClientIpCheckActionFilter("127.0.0.1;192.168.1.5;::1", logger);});

而后，能够将操做筛选器应用到具备 [ServiceFilter] 属性的控制器或操做方法：安全

[ServiceFilter(typeof(ClientIpCheckActionFilter))][HttpGet]public IEnumerable<string> Get()

在示例应用中，操做筛选器将应用于控制器的 Get 操做方法。当你经过发送来测试应用程序时：ruby

HTTP GET 请求，该 [ServiceFilter] 属性验证客户端 IP 地址。若是容许访问 Get 操做方法，则 "操做筛选器" 和 "操做" 方法将生成如下控制台输出的变体：

dbug: ClientIpSafelistComponents.Filters.ClientIpCheckActionFilter[0]Remote IpAddress: ::1dbug: ClientIpAspNetCore.Controllers.ValuesController[0]successful HTTP GET

除 GET 以外的 HTTP 请求谓词将 AdminSafeListMiddleware 验证客户端 IP 地址。

总结

该案例彻底能够改形成黑名单拦截。

关注公众号：UP技术控获取更多资讯