ASP.NET Core uses UrlFirewall to filter requests

I. Introduction

UrlFirewallIt is an open source, lightweight middleware for filtering http requests, which can be used in webapi or gateways (such as Ocelot), written by myself, and open source on github: https://github.com/stulzq/UrlFirewall welcome star.

2. Introduction to UrlFirewall

UrlFirewall is an HTTP request filtering middleware that can be used with a gateway (Ocelot) to shield external network access to internal interfaces, allowing only internal interfaces to communicate with each other without exposing them to the outside world. It supports blacklist mode and whitelist mode, and supports custom HTTP request response codes. It has good scalability and can implement verification logic by itself, and retrieve rules from media such as database or Redis cache.

3. Use

1. Add components from Nuget to your ASP.NET Core project

Install-Package UrlFirewall.AspNetCore

2. Placement DI

public void ConfigureServices(IServiceCollection services)
{
    services.AddUrlFirewall(options =>
    {
        options.RuleType = UrlFirewallRuleType.Black;
        options.SetRuleList(Configuration.GetSection("UrlBlackList"));
        options.StatusCode = HttpStatusCode.NotFound;
    });
    services.AddMvc();
    //...
}

3. Configure middleware

The location of the UrlFirewall middleware must be placed first

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    //Configure url firewall middleware. Top most.
    app.UseUrlFirewall();

    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }

    app.UseMvc();
}

4. Configure the rules

According to step 2, the used Section name · UrlBlackList· We add the following configuration in the appsettings.json/appsettings.Devolopment.json file;

{
  "Logging": {
    "IncludeScopes": false,
    "LogLevel": {
      "Default": "Debug",
      "System": "Information",
      "Microsoft": "Information"
    }
  },
  "UrlBlackList": [
    {
      "Url": "/api/cart/add",
      "Method": "All"
    },
    {
      "Url": "/api/cart/del",
      "Method": "Post"
    },
    {
      "Url": "/api/cart/list",
      "Method": "Get"
    },
    {
      "Url": "/api/product/*",
      "Method": "All"
    }
  ]
}

The Url field indicates the url of the http request to be intercepted, and supports wildcard *and sum ?, *indicating that any number of arbitrary characters ?is matched, and one arbitrary character is matched. MethodRepresents the http request method, Allrepresents all, and more Get Post Delete Put.

4. Expansion

If you want to implement your own verification logic, or query and obtain data from databases, Redis caches, and other media for verification; you can implement the IUrlFirewallValidatorinterface and then call the AddUrlFirewallValidatormethod to replace the default implementation.

Example:

services.AddUrlFirewall(options =>
{
    options.RuleType = UrlFirewallRuleType.Black;
    options.SetRuleList(Configuration.GetSection("UrlBlackList"));
    options.StatusCode = HttpStatusCode.NotFound;
}).AddUrlFirewallValidator<CustomValidator>();

5. Address

Source code and Demo: https://github.com/stulzq/UrlFirewall