Of Stack

ASP. NET Core sample method for filtering requests using UrlFirewall

  • 2021-10-24 19:24:53
  • OfStack

1. Preface

UrlFirewall is an open source, lightweight middleware for filtering http requests, available at webapi or a gateway (such as Ocelot), written by myself, and open source at github: https://github.com/stulzq/UrlFirewall (download locally)

2. Introduction of 2. UrlFirewall

UrlFirewall is an http request filtering middleware, which can be matched with gateway (Ocelot) to shield external network from accessing internal interfaces, and only let internal interfaces communicate with each other without exposing to the outside. It supports blacklist mode and whitelist mode, and supports custom http request response code. It has good expansibility, and can realize verification logic by itself, and retrieve rules from database or Redis cache.

STEP 3 Use

1. Add components from Nuget to your ASP. NET Core project 


Install-Package UrlFirewall.AspNetCore

2. Configure DI 


public void ConfigureServices(IServiceCollection services)
{
 services.AddUrlFirewall(options =>
 {
  options.RuleType = UrlFirewallRuleType.Black;
  options.SetRuleList(Configuration.GetSection("UrlBlackList"));
  options.StatusCode = HttpStatusCode.NotFound;
 });
 services.AddMvc();
 //...
}

3. Configure middleware

The position of UrlFirewall middleware must be in the first place 


public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
 //Configure url firewall middleware. Top most.
 app.UseUrlFirewall();

 if (env.IsDevelopment())
 {
  app.UseDeveloperExceptionPage();
 }
 app.UseMvc();
}

4. Configure rules

According to the Section name used in step 2, we add the following configuration in the appsettings. json/appsettings. Devolopment. json file; 


{
 "Logging": {
 "IncludeScopes": false,
 "LogLevel": {
  "Default": "Debug",
  "System": "Information",
  "Microsoft": "Information"
 }
 },
 "UrlBlackList": [
 {
  "Url": "/api/cart/add",
  "Method": "All"
 },
 {
  "Url": "/api/cart/del",
  "Method": "Post"
 },
 {
  "Url": "/api/cart/list",
  "Method": "Get"
 },
 {
  "Url": "/api/product/*",
  "Method": "All"
 }
 ]
}

The Url field indicates the http request url to be intercepted, and supports wildcard characters * and? * means to match any number of characters,? Indicates that 1 arbitrary character is matched. Method represents http request method, All represents all, and Get Post Delete Put.

STEP 4 Expand

If you want to implement your own verification logic, or query from the database, Redis cache and other media, get data for verification; You can implement the IUrlFirewallValidator interface and then call the AddUrlFirewallValidator method to replace the default implementation.

Example: 


services.AddUrlFirewall(options =>
{
 options.RuleType = UrlFirewallRuleType.Black;
 options.SetRuleList(Configuration.GetSection("UrlBlackList"));
 options.StatusCode = HttpStatusCode.NotFound;
}).AddUrlFirewallValidator<CustomValidator>();

5. Address

Source and Demo: https://github.com/stulzq/UrlFirewall (local download)

Summarize

Related articles: