reverse-proxy icon indicating copy to clipboard operation
reverse-proxy copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Proxy is hardened so it can directly face the internet

Open analogrelay opened this issue 5 years ago • 6 comments
trafficstars

We expect several features to be add-ins that plug in as connection middleware. Add a connection middleware to the sample in this repo.

Here's one example from Http2: https://github.com/dotnet/aspnetcore/blob/09bb7b4ca5a4fbde0283c294c35fac8b485c0074/src/Servers/Kestrel/samples/Http2SampleApp/Program.cs#L41-L54

Other things we expect to need to plug into here:

  • Sniff SNI and rate limit
  • Rate limit SSL handshakes by IP

We don't have to write those components as part of this task, just demonstrate that a connection middleware has access to the necessary inputs and controls (e.g. IPs, sniffing the data stream, drop connections, etc.).

Specifically, this involves being able to filter connections based on information contained in the ClientHello TLS frame. Examples include:

  • Cipher Suite selection
  • Protocol Version
  • Server Name Indication (SNI)
  • Application-Level Protocol Negotiation (ALPN; used for HTTP/2 and HTTP/3)

analogrelay avatar Mar 12 '20 16:03 analogrelay

I did a similar connection middleware component here that we should be able to model this on.

Tratcher avatar Sep 21 '20 18:09 Tratcher

I know that this is outside the scope of the issue, but it would be great to have some middleware to block traffic. Some simple ones being blocking user agents like curl and GeoIP2 country lookup using MaxMind DB Reader. Not looking to build an IDS/IPS, but some simple tools would be nice. Created Web Application Firewall discussion as suggested.

mguinness avatar Jan 19 '21 19:01 mguinness

@mguinness I'd suggest moving that question to https://github.com/microsoft/reverse-proxy/discussions.

Blocking like that would be applied at the connection, server, or middleware layer before reaching any of the YARP logic at the routing layer or proxying layers. These scenarios are highly custom and I don't expect we'd be building them as part of the YARP project.

Tratcher avatar Jan 19 '21 21:01 Tratcher

Triage: All is possible using TlsFrameHelper: https://github.com/microsoft/reverse-proxy/blob/main/src/ReverseProxy/Utilities/TlsFrameHelper.cs We should work with users to create deployment cookbook / how tos.

karelz avatar Mar 24 '21 19:03 karelz

Triage: Review AppService list to identify things that may be general purpose.

karelz avatar Jun 16 '22 17:06 karelz

I've done some work to integrate security keys with WebAuthn into YARP reverse proxy at the repo YarpWebAuthn for home use.

Right now it's relatively easy to match routes based on host domain like app1.example.duckdns.org, app2.example.duckdns.org.

However with Duck DNS all subdomains share the same IP address. Therefore if you specify a subdomain that has no matches you get a 404 response. Is there a way to reject any non-matches, i.e. drop the connection like nginx does with the 444 response?

Stops processing and returns the specified code to a client. The non-standard code 444 closes a connection without sending a response header.

I looked at other issues No way to reject a route & Allow grouping and inheriting route config, but they are both several years old and I wasn't sure if there is updated guidance.

mguinness avatar Mar 26 '25 03:03 mguinness