AspNetCoreRateLimit
AspNetCoreRateLimit copied to clipboard
stefanprodan
How to make a blacklist of Endpoints?
I recently started using this package, but I don't know and can't find how to make a blacklist for endpoints? I tried doing this:
"IpRateLimiting": {
"EnableEndpointRateLimiting": true,
"StackBlockedRequests": true,
"RealIpHeader": "X-Real-IP",
"ClientIdHeader": "X-ClientId",
"HttpStatusCode": 429,
"IpWhitelist": [],
"EndpointWhitelist": [],
"ClientWhitelist": [],
"GeneralRules": [
{
// These Endpoints doesn't work
"Endpoint": [
"get:/api/user/SearchByEmailOrPhone/*",
"post:/api/auth/*",
"get:/api/user/SetNewsletterSubscription/*"
],
"Period": "15s",
"Limit": 3
},
{
"Endpoint": [
"get:/api/user/SearchByEmailOrPhone/*",
"post:/api/auth/*",
"get:/api/user/SetNewsletterSubscription/*"
],
"Period": "1m",
"Limit": 6
},
{
"Endpoint": [
"get:/api/user/SearchByEmailOrPhone/*",
"post:/api/auth/*",
"get:/api/user/SetNewsletterSubscription/*"
],
"Period": "5m",
"Limit": 13
}
]
}
but apparently, the Endpoint under GeneralRules, doesn't accept an array of endpoints, it'll be so cumbersome if I add all of my endpoints separately AND each of them with 3 limitation rules, so currently I have 3 endpoints which I want to add to the blacklist, 3 endpoints each with 3 rules will be 9 of these rule blocks (and it will probably get more than that), is there a better way to do this?
Add a setting to EnableRegexRuleMatching: true in your settings file, and then learn to regex through regex101.
Thanks for answering, I haven't got time to test this but I'll do it asap, and, is this option mentioned in the docs as well? I didn't see it anywhere.
Oh, wow, this was the quickest reply I've ever got on the internet, that option will be huge if it actually works, thank you so much.
Does this option allow me to specify a regex to summarize multiple endpoints in a single rule block, or does it enable black listing? an example would be helpful.
Will respond tonight--I'm returning from a flight (on my phone currently).
Here's my setup (below). Notes:
EnableRegexRuleMatching controls how the current request path is evaluated against the GeneralRules (here's the code). The regex/non-regex evaluation happens in IsUrlMatch. You'd want to turn it on.
It's true that GeneralRules.Endpoint does not take an array of endpoints, but if you turn on Regex matching, and you use a regular expression to match against (or not against--not sure what you are requesting for exactly), then you can essentially isolate each rule to a subset of endpoints.
For instance, if you want to target just those three endpoints, you could do something like this regular expression:
.*api\/(?<controller>user\/(?<userAction>SearchByEmailOrPhone|SetNewsletterSubscription)|auth)/(?<otherActions>.*). You'd then paste that in each of your three rules as the Endpoint.
You can also play with this regex, at https://regex101.com/r/VfkhDp/1. Anything that does not match this, will not be rate limited.
Let me know if that didn't answer your question or if I misunderstood something.
{
"IpRateLimiting":
{
"EnableRegexRuleMatching": false,
"EnableEndpointRateLimiting": true,
"StackBlockedRequests": false,
"HttpStatusCode": 429,
"IpWhitelist":
[
],
"EndpointWhitelist":
[
],
"GeneralRules":
[
{
"Endpoint": "*:/api/*",
"Period": "5s",
"Limit": 15
},
{
"Endpoint": "*:/api/*",
"Period": "15m",
"Limit": 1000
},
{
"Endpoint": "*:/api/*",
"Period": "24h",
"Limit": 10000
}
]
}
}