Asp.net core uses urlfirewall to filter requests

Time:2020-1-8

I. Preface

Urlfirewall is an open-source and lightweight middleware for filtering HTTP requests. It can be used in webapi or gateway (such as Ocelot), written by myself, and open-source in GitHub: https://github.com/stulzq/urlfirewall (local download)

2、 Introduction to urlfirewall

Urlfirewall is an HTTP request filtering middleware, which can be matched with the gateway (Ocelot) to shield the external network from accessing the internal interface, and only allow the internal interfaces to communicate with each other without exposing to the external. It supports blacklist mode and whitelist mode, and supports custom HTTP request response code. It has good scalability, can realize the verification logic by itself, and realize the rule retrieval from the database or redis cache and other media.

Three. Use

1. Add components from nuget to your asp.net core project


Install-Package UrlFirewall.AspNetCore

2. configure DI


public void ConfigureServices(IServiceCollection services)
{
 services.AddUrlFirewall(options =>
 {
  options.RuleType = UrlFirewallRuleType.Black;
  options.SetRuleList(Configuration.GetSection("UrlBlackList"));
  options.StatusCode = HttpStatusCode.NotFound;
 });
 services.AddMvc();
 //...
}

3. Configure Middleware

The location of urlfirewall middleware must be the first


public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
 //Configure url firewall middleware. Top most.
 app.UseUrlFirewall();

 if (env.IsDevelopment())
 {
  app.UseDeveloperExceptionPage();
 }
 app.UseMvc();
}

4. Configuration rules

According to step 2, the section name used · urlblacklist · we add the following configuration in the appsettings.json/appsettings.devolution.json file;


{
 "Logging": {
 "IncludeScopes": false,
 "LogLevel": {
  "Default": "Debug",
  "System": "Information",
  "Microsoft": "Information"
 }
 },
 "UrlBlackList": [
 {
  "Url": "/api/cart/add",
  "Method": "All"
 },
 {
  "Url": "/api/cart/del",
  "Method": "Post"
 },
 {
  "Url": "/api/cart/list",
  "Method": "Get"
 },
 {
  "Url": "/api/product/*",
  "Method": "All"
 }
 ]
}

The URL field indicates the HTTP request URL to be intercepted, supports wildcards * and?, * indicates to match any number of arbitrary characters, and? Indicates to match any character. Method means HTTP request method, all means all, and get post delete put.

Four. Expand

If you want to implement your own validation logic, or query data from database, Redis cache and get data to verify, you can implement the IUrlFirewallValidator interface and then call the AddUrlFirewallValidator method to replace the default implementation.

Example:


services.AddUrlFirewall(options =>
{
 options.RuleType = UrlFirewallRuleType.Black;
 options.SetRuleList(Configuration.GetSection("UrlBlackList"));
 options.StatusCode = HttpStatusCode.NotFound;
}).AddUrlFirewallValidator<CustomValidator>();

Five. Address

Source code and demo: https://github.com/stulzq/urlfirewall (local download)

summary

The above is the whole content of this article. I hope that the content of this article has a certain reference learning value for everyone’s study or work. If you have any questions, you can leave a message and exchange. Thank you for your support for developepaar.