ThreeMammals
Issue with IP Blocking and Allowing in global configuration
I configured IP blocking and allowing in Ocelot using SecurityOptions, but it's not working.
{
"GlobalConfiguration": {
"BaseUrl": "http://localhost:5000",
"SecurityOptions": {
"IPBlockedList": ["192.168.0.23"]
}
}
}
The IP blocking configuration is not working as expected.
Hello, Cavid! It seems we lack support for global settings. The potential solutions could be:
- Solely using
ocelot.json. Define the options for each route individually. - Utilizing C# coding. Replace the
ISecurityOptionsCreatorservice in the DI container by redeveloping theSecurityOptionsCreatorclass to consider only the global settings. https://github.com/ThreeMammals/Ocelot/blob/6088515173b70abd52798e544e5ded409680dbdb/src/Ocelot/DependencyInjection/OcelotBuilder.cs#L141
Which solution would be more convenient for you?
Hello @Fabman08, The absence of global settings support is a significant issue. Here's the current usage of SecurityOptionsCreator:
https://github.com/ThreeMammals/Ocelot/blob/6088515173b70abd52798e544e5ded409680dbdb/src/Ocelot/Configuration/Creator/RoutesCreator.cs#L111
Consequently, the method should accept two arguments, including global settings: https://github.com/ThreeMammals/Ocelot/blob/6088515173b70abd52798e544e5ded409680dbdb/src/Ocelot/Configuration/Creator/SecurityOptionsCreator.cs#L8 Would you be able to allocate some time to address this?
Hi @raman-m! Sure, I'll be able to fix the issue this or next week. ☺️
@CavidH thank you for reporting this issue! 👍
Hello, Cavid! It seems we lack support for global settings. The potential solutions could be:
- Solely using
ocelot.json. Define the options for each route individually.- Utilizing C# coding. Replace the
ISecurityOptionsCreatorservice in the DI container by redeveloping theSecurityOptionsCreatorclass to consider only the global settings. https://github.com/ThreeMammals/Ocelot/blob/6088515173b70abd52798e544e5ded409680dbdb/src/Ocelot/DependencyInjection/OcelotBuilder.cs#L141Which solution would be more convenient for you?
I had thought of the first option, but since I have too many services, it will be difficult to control this
@raman-m just a little question about Global Settings behaviours.
I've found three ways to fix the issue:
- Every properties in Route FileSecurityOptions overrides their Global Settings values eg.
- Global: Allowed: B,C Blocked: E ExcludeAllowedFromBlocked: true
- Route: Allowed: A,B,C Blocked: D,E,F ExcludeAllowedFromBlocked: false
- Final: Allowed: A,B,C Blocked: D,E,F ExcludeAllowedFromBlocked: false
- Only the existing properties in Route FileSecurityOptions overrides their Global Settings values eg.
- Global: Allowed: B,C Blocked: E ExcludeAllowedFromBlocked: true
- Route: Allowed: A,B,C Blocked: null ExcludeAllowedFromBlocked: null
- Final: Allowed: A,B,C Blocked: E ExcludeAllowedFromBlocked: true
- The Route FileSecurityOptions values will be merged to Global Settings values eg.
- Global: Allowed: A,B,C Blocked: D,E ExcludeAllowedFromBlocked: true
- Route: Allowed: F,G,H Blocked: I,K ExcludeAllowedFromBlocked: false
- Final: Allowed: A,B,C,F,G,H Blocked: D,E,I,K ExcludeAllowedFromBlocked: false
Which one is the best?
@Fabman08 Your research is too complicated!
Which one is the best?
It is best to prioritize the route-specific FileSecurityOptions object over the global settings. Therefore, if route settings are defined, all global settings should be disregarded. In practice, if the route object is null, then the global settings should be utilized.
Every properties in Route FileSecurityOptions overrides their Global Settings values
Yes, if route options are defined, all global ones should be ignored. We will highlight this in the documentation. There should be no merging whatsoever. This approach is the simplest and most correct solution, as merging properties would be erroneous due to potential conflicts within the algorithm. Therefore, merging is identified as a source of bugs.