reverse-proxy icon indicating copy to clipboard operation
reverse-proxy copied to clipboard

Published 20 hours ago verified publisher icon microsoft

IP Whitelist

Open ErnestMushinge opened this issue 3 years ago • 9 comments
trafficstars

What should we add or change to make your life better?

Add a granular way to whitelist an IP in the config file

Why is this important to you?

It is for security purposes

ErnestMushinge avatar May 10 '22 13:05 ErnestMushinge

Related: https://github.com/microsoft/reverse-proxy/discussions/1663

MihaZupan avatar May 10 '22 13:05 MihaZupan

@ErnestMushinge Can you please provide more details about what the whitelist is for?

  • Is this rejecting a route if the IP address is in the allow/deny list?
  • Should matching still occur to other routes - for example if a request comes from the internal network then route differently than if it came externally
  • Does additional processing of the IP address need to be done before routing - for example using a geolocation mapping to determine where the client is before routing occurs?

samsp-msft avatar May 12 '22 20:05 samsp-msft

@samsp-msft I understand this issue is related to 1663 , I was wondering if Yarp has a built-in functionality with respect to the Allow Deny block in the appsettings.json. Just like the way a Develop is not required to configure a middleware for a route block?

In short, is it possible to specify the list of IP Addresses to reject/accept without configuring a custom middleware?

Thanks much!

ErnestMushinge avatar May 12 '22 22:05 ErnestMushinge

Triage: If there is enough interest, we may consider it as part of YARP or ASP.NET

karelz avatar May 17 '22 18:05 karelz

There are definitely interest from my end. IP Based Whitelisting even on a route level will be fantastic and solve a lot of my problems around security.

anton-roos avatar Aug 02 '22 06:08 anton-roos

https://docs.microsoft.com/en-us/aspnet/core/security/ip-safelist?view=aspnetcore-6.0

Tratcher avatar Aug 29 '22 17:08 Tratcher

I have just published a YARP middleware that implements IP-address/network filters (block or allow; per-route and global). Right now it only contains features I need for my current project, but I'd love to hear your feedback.

https://github.com/bbelius/YARP.ReverseProxy.IPFilters/ https://www.nuget.org/packages/BBelius.Yarp.ReverseProxy.IPFilters/

bbelius avatar Apr 18 '23 23:04 bbelius

@bbelius, thanks for sharing, it looks pretty good.

  • Note RemoteIpAddress is only null if the transport doesn't support it, like TestServer, it's not a thing clients can choose to hide. You can probably ignore these cases.
  • Consider a more efficient lookup approach. E.g. use a HashSet and Contains for exact matches. Network lookup might benefit from a custom collection (a bit tree?).

Tratcher avatar Apr 19 '23 16:04 Tratcher

@Tratcher Many thanks for your feedback! I've updated the code and published v1.1.1 just now. I did some quick benchmarking and the IPAddress lookup takes approx. half the time, while the IPNetwork lookup takes now ~30% less time.

bbelius avatar Apr 22 '23 00:04 bbelius