C# Asp.Net内核中的IP安全
我正试图通过IP地址限制一个站点。在以前的MVC版本中,我会在web.config中添加如下内容:C# Asp.Net内核中的IP安全,c#,asp.net-core,asp.net-core-mvc,C#,Asp.net Core,Asp.net Core Mvc,我正试图通过IP地址限制一个站点。在以前的MVC版本中,我会在web.config中添加如下内容: <security> <ipSecurity allowUnlisted="false" denyAction="NotFound"> <add allowed="true" ipAddress="XX.XX.XX.XX" subnetMask="255.255.255.0"/> </ipSecurity> </security
<security>
<ipSecurity allowUnlisted="false" denyAction="NotFound">
<add allowed="true" ipAddress="XX.XX.XX.XX" subnetMask="255.255.255.0"/>
</ipSecurity>
</security>
现在处理这个问题的最佳方法是什么,一些内置的或其他的东西Damian Bod演示了如何实现中间件来处理IP白名单
他给出了全局中间件或操作过滤器的示例
无论哪种方式,您都需要将允许的IP地址添加到appsettings.json
,并对照它们检查客户端IP地址
客户端IP地址可通过HttpContext
(例如context.Connection.RemoteIpAddress
)获得
如果要将IP地址范围列入白名单,则可以使用Nuget包,该包支持各种格式,如“192.168.0.0/24”和“192.168.0.0/255.255.255.0”,包括CIDR表达式和IPv6
以下是如何在过滤器中执行此操作的示例:
appsettings.json:
{
"IPAddressWhitelistConfiguration": {
"AuthorizedIPAddresses": [
"::1", // IPv6 localhost
"127.0.0.1", // IPv4 localhost
"192.168.0.0/16", // Local network
"10.0.0.0/16", // Local network
]
}
}
namespace My.Web.Configuration
{
using System.Collections.Generic;
public class IPWhitelistConfiguration : IIPWhitelistConfiguration
{
public IEnumerable<string> AuthorizedIPAddresses { get; set; }
}
}
namespace My.Web.Configuration
{
using System.Collections.Generic;
public interface IIPWhitelistConfiguration
{
IEnumerable<string> AuthorizedIPAddresses { get; }
}
}
public class Startup
{
// ...
public void ConfigureServices(IServiceCollection services)
{
// ...
services.Configure<IPWhitelistConfiguration>(
this.Configuration.GetSection("IPAddressWhitelistConfiguration"));
services.AddSingleton<IIPWhitelistConfiguration>(
resolver => resolver.GetRequiredService<IOptions<IPWhitelistConfiguration>>().Value);
// ...
}
}
namespace My.Web.Filters
{
using System.Collections.Generic;
using System.Linq;
using System.Net;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
using NetTools;
using My.Web.Configuration;
public class ClientIPAddressFilterAttribute : ActionFilterAttribute
{
private readonly IEnumerable<IPAddressRange> authorizedRanges;
public ClientIPAddressFilterAttribute(IIPWhitelistConfiguration configuration)
{
this.authorizedRanges = configuration.AuthorizedIPAddresses
.Select(item => IPAddressRange.Parse(item));
}
public override void OnActionExecuting(ActionExecutingContext context)
{
var clientIPAddress = context.HttpContext.Connection.RemoteIpAddress;
if (!this.authorizedRanges.Any(range => range.Contains(clientIPAddress)))
{
context.Result = new UnauthorizedResult();
}
}
}
IPWhiteListConfiguration.cs:
{
"IPAddressWhitelistConfiguration": {
"AuthorizedIPAddresses": [
"::1", // IPv6 localhost
"127.0.0.1", // IPv4 localhost
"192.168.0.0/16", // Local network
"10.0.0.0/16", // Local network
]
}
}
namespace My.Web.Configuration
{
using System.Collections.Generic;
public class IPWhitelistConfiguration : IIPWhitelistConfiguration
{
public IEnumerable<string> AuthorizedIPAddresses { get; set; }
}
}
namespace My.Web.Configuration
{
using System.Collections.Generic;
public interface IIPWhitelistConfiguration
{
IEnumerable<string> AuthorizedIPAddresses { get; }
}
}
public class Startup
{
// ...
public void ConfigureServices(IServiceCollection services)
{
// ...
services.Configure<IPWhitelistConfiguration>(
this.Configuration.GetSection("IPAddressWhitelistConfiguration"));
services.AddSingleton<IIPWhitelistConfiguration>(
resolver => resolver.GetRequiredService<IOptions<IPWhitelistConfiguration>>().Value);
// ...
}
}
namespace My.Web.Filters
{
using System.Collections.Generic;
using System.Linq;
using System.Net;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
using NetTools;
using My.Web.Configuration;
public class ClientIPAddressFilterAttribute : ActionFilterAttribute
{
private readonly IEnumerable<IPAddressRange> authorizedRanges;
public ClientIPAddressFilterAttribute(IIPWhitelistConfiguration configuration)
{
this.authorizedRanges = configuration.AuthorizedIPAddresses
.Select(item => IPAddressRange.Parse(item));
}
public override void OnActionExecuting(ActionExecutingContext context)
{
var clientIPAddress = context.HttpContext.Connection.RemoteIpAddress;
if (!this.authorizedRanges.Any(range => range.Contains(clientIPAddress)))
{
context.Result = new UnauthorizedResult();
}
}
}
名称空间My.Web.Configuration
{
使用System.Collections.Generic;
公共类IPWhitelistConfiguration:IIPWhitelistConfiguration
{
公共IEnumerable地址{get;set;}
}
}
IIPWhiteListConfiguration.cs:
{
"IPAddressWhitelistConfiguration": {
"AuthorizedIPAddresses": [
"::1", // IPv6 localhost
"127.0.0.1", // IPv4 localhost
"192.168.0.0/16", // Local network
"10.0.0.0/16", // Local network
]
}
}
namespace My.Web.Configuration
{
using System.Collections.Generic;
public class IPWhitelistConfiguration : IIPWhitelistConfiguration
{
public IEnumerable<string> AuthorizedIPAddresses { get; set; }
}
}
namespace My.Web.Configuration
{
using System.Collections.Generic;
public interface IIPWhitelistConfiguration
{
IEnumerable<string> AuthorizedIPAddresses { get; }
}
}
public class Startup
{
// ...
public void ConfigureServices(IServiceCollection services)
{
// ...
services.Configure<IPWhitelistConfiguration>(
this.Configuration.GetSection("IPAddressWhitelistConfiguration"));
services.AddSingleton<IIPWhitelistConfiguration>(
resolver => resolver.GetRequiredService<IOptions<IPWhitelistConfiguration>>().Value);
// ...
}
}
namespace My.Web.Filters
{
using System.Collections.Generic;
using System.Linq;
using System.Net;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
using NetTools;
using My.Web.Configuration;
public class ClientIPAddressFilterAttribute : ActionFilterAttribute
{
private readonly IEnumerable<IPAddressRange> authorizedRanges;
public ClientIPAddressFilterAttribute(IIPWhitelistConfiguration configuration)
{
this.authorizedRanges = configuration.AuthorizedIPAddresses
.Select(item => IPAddressRange.Parse(item));
}
public override void OnActionExecuting(ActionExecutingContext context)
{
var clientIPAddress = context.HttpContext.Connection.RemoteIpAddress;
if (!this.authorizedRanges.Any(range => range.Contains(clientIPAddress)))
{
context.Result = new UnauthorizedResult();
}
}
}
名称空间My.Web.Configuration
{
使用System.Collections.Generic;
公共接口IIPWhitelistConfiguration
{
IEnumerable地址{get;}
}
}
Startup.cs:
{
"IPAddressWhitelistConfiguration": {
"AuthorizedIPAddresses": [
"::1", // IPv6 localhost
"127.0.0.1", // IPv4 localhost
"192.168.0.0/16", // Local network
"10.0.0.0/16", // Local network
]
}
}
namespace My.Web.Configuration
{
using System.Collections.Generic;
public class IPWhitelistConfiguration : IIPWhitelistConfiguration
{
public IEnumerable<string> AuthorizedIPAddresses { get; set; }
}
}
namespace My.Web.Configuration
{
using System.Collections.Generic;
public interface IIPWhitelistConfiguration
{
IEnumerable<string> AuthorizedIPAddresses { get; }
}
}
public class Startup
{
// ...
public void ConfigureServices(IServiceCollection services)
{
// ...
services.Configure<IPWhitelistConfiguration>(
this.Configuration.GetSection("IPAddressWhitelistConfiguration"));
services.AddSingleton<IIPWhitelistConfiguration>(
resolver => resolver.GetRequiredService<IOptions<IPWhitelistConfiguration>>().Value);
// ...
}
}
namespace My.Web.Filters
{
using System.Collections.Generic;
using System.Linq;
using System.Net;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
using NetTools;
using My.Web.Configuration;
public class ClientIPAddressFilterAttribute : ActionFilterAttribute
{
private readonly IEnumerable<IPAddressRange> authorizedRanges;
public ClientIPAddressFilterAttribute(IIPWhitelistConfiguration configuration)
{
this.authorizedRanges = configuration.AuthorizedIPAddresses
.Select(item => IPAddressRange.Parse(item));
}
public override void OnActionExecuting(ActionExecutingContext context)
{
var clientIPAddress = context.HttpContext.Connection.RemoteIpAddress;
if (!this.authorizedRanges.Any(range => range.Contains(clientIPAddress)))
{
context.Result = new UnauthorizedResult();
}
}
}
公共类启动
{
// ...
public void配置服务(IServiceCollection服务)
{
// ...
服务。配置(
GetSection(“IPAddressWhitelistConfiguration”);
服务.AddSingleton(
解析程序=>resolver.GetRequiredService().Value);
// ...
}
}
ClientIPAddressFilterAttribute.cs:
{
"IPAddressWhitelistConfiguration": {
"AuthorizedIPAddresses": [
"::1", // IPv6 localhost
"127.0.0.1", // IPv4 localhost
"192.168.0.0/16", // Local network
"10.0.0.0/16", // Local network
]
}
}
namespace My.Web.Configuration
{
using System.Collections.Generic;
public class IPWhitelistConfiguration : IIPWhitelistConfiguration
{
public IEnumerable<string> AuthorizedIPAddresses { get; set; }
}
}
namespace My.Web.Configuration
{
using System.Collections.Generic;
public interface IIPWhitelistConfiguration
{
IEnumerable<string> AuthorizedIPAddresses { get; }
}
}
public class Startup
{
// ...
public void ConfigureServices(IServiceCollection services)
{
// ...
services.Configure<IPWhitelistConfiguration>(
this.Configuration.GetSection("IPAddressWhitelistConfiguration"));
services.AddSingleton<IIPWhitelistConfiguration>(
resolver => resolver.GetRequiredService<IOptions<IPWhitelistConfiguration>>().Value);
// ...
}
}
namespace My.Web.Filters
{
using System.Collections.Generic;
using System.Linq;
using System.Net;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
using NetTools;
using My.Web.Configuration;
public class ClientIPAddressFilterAttribute : ActionFilterAttribute
{
private readonly IEnumerable<IPAddressRange> authorizedRanges;
public ClientIPAddressFilterAttribute(IIPWhitelistConfiguration configuration)
{
this.authorizedRanges = configuration.AuthorizedIPAddresses
.Select(item => IPAddressRange.Parse(item));
}
public override void OnActionExecuting(ActionExecutingContext context)
{
var clientIPAddress = context.HttpContext.Connection.RemoteIpAddress;
if (!this.authorizedRanges.Any(range => range.Contains(clientIPAddress)))
{
context.Result = new UnauthorizedResult();
}
}
}
namespace My.Web.Filters
{
使用System.Collections.Generic;
使用System.Linq;
Net系统;
使用Microsoft.AspNetCore.Mvc;
使用Microsoft.AspNetCore.Mvc.Filters;
使用网络工具;
使用My.Web.Configuration;
公共类ClientIPAddressFilterAttribute:ActionFilterAttribute
{
私有只读IEnumerabledranges;
公共ClientIPAddressFilterAttribute(IIPWhitelistConfiguration配置)
{
this.authorizedRanges=configuration.authorizedAddresses
.Select(item=>IPAddressRange.Parse(item));
}
公共重写无效OnActionExecuting(ActionExecutingContext上下文)
{
var clientIPAddress=context.HttpContext.Connection.RemoteIpAddress;
如果(!this.authorizedRanges.Any(range=>range.Contains(clientIPAddress)))
{
context.Result=新的UnauthorizedResult();
}
}
}
我需要类似的东西,除了“安全列出”单个IP地址对我来说不够好,因为我必须通过CIDR符号(对于Cloudflare)启用整个范围的IP地址。我昨天已经安装了,但简而言之,您可以安装,然后像这样配置IP筛选器设置:
namespace BasicApp
{
public class Startup
{
public void Configure(IApplicationBuilder app)
{
var allowedIPs =
new List<IPAddress>
{
IPAddress.Parse("10.20.30.40"),
IPAddress.Parse("1.2.3.4"),
IPAddress.Parse("5.6.7.8")
};
var allowedCIDRs =
new List<CIDRNotation>
{
CIDRNotation.Parse("110.40.88.12/28"),
CIDRNotation.Parse("88.77.99.11/8")
};
app.UseFirewall(
FirewallRulesEngine
.DenyAllAccess()
.ExceptFromIPAddressRanges(allowedCIDRs)
.ExceptFromIPAddresses(allowedIPs));
app.Run(async (context) =>
{
await context.Response.WriteAsync("Hello World!");
});
}
}
}
名称空间
{
公营创业
{
公共void配置(IApplicationBuilder应用程序)
{
允许变异=
新名单
{
IPAddress.Parse(“10.20.30.40”),
IPAddress.Parse(“1.2.3.4”),
IPAddress.Parse(“5.6.7.8”)
};
var允许使用的杀虫剂=
新名单
{
CIDRNotation.Parse(“110.40.88.12/28”),
CIDRNotation.Parse(“88.77.99.11/8”)
};
app.UseFirewall(
防火墙规则引擎
.DenyAllAccess()
.IP地址范围(允许的CIDR)除外
。IP地址(允许IP)除外;
app.Run(异步(上下文)=>
{
wait context.Response.WriteAsync(“Hello World!”);
});
}
}
}
您能找出内部服务器错误是什么并将其添加到您的帖子中吗?ipSecurity是特定于IIS的,而ASP.NET Core是关于通过Kestrel服务器跨平台服务web请求的。可能有更好的方法,但通过中间件管道可以检索中描述的IP地址并返回NotFound结果。@rbo啊,是的,那是有道理的。那么你认为这是手动添加的情况吗?我想这可能是case@mason编辑,thanks@rboe:在ASP.NET Core中,通过检索IP不是那么容易/一致,因为默认变量(您希望它提供反向代理的IP)而不是用户IP,这取决于在面向internet的服务器(Linux上的IIS或nginx)上执行此操作回答更合理,但我认为博客帖子链接是错误的。@CalC谢谢。现在修复!我想知道IPWhiteListConfiguration.cs中使用的接口IIpHitelistConfiguration是什么样子。它是否继承IConfiguration?@Verzada它只是一个只公开authorizedAddresses
属性的getter的接口。这对于示例来说并不重要,只是为了将客户端代码与IPWhitelistConfiguration
的实现分离。为了完整性,我在答案中添加了它,并展示了如何解决它。@Ergwun我刚刚进入.NET核心,因此我非常欣赏在查看ex时能够让事情变得非常清楚的任何东西关于如何在特定框架中进行依赖项注入的示例。因此,感谢您花时间添加信息:)