-
|
Reverse proxies like Nginx and Apache have the ability to integrate ModSecurity WAF. While it may not be feasible to integrate that library it would be a good to have some blocking options for the proxy. In issue Proxy is hardened so it can directly face the internet it was mentioned that any blocking should be applied at the middleware layer before reaching YARP, so opening up the discussion here for feedback. There doesn't appear to be any good resources for blocking unwanted traffic within Kestrel, but I think pluggable modules configured by user defined rules would complement the YARP project very well. Simple rules like blocking user agents like curl, wget etc. and GeoIP2 country lookup using MaxMind DB Reader would be a good starting point. Does anyone else think that this would be worthwhile and would you use it? |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 2 replies
-
|
There's nothing here that would be proxy specific, any ASP.NET Core app could benefit from such components. Here are some similar examples people have already developed: https://edi.wang/post/2019/6/16/ip-rate-limit-for-aspnet-core |
Beta Was this translation helpful? Give feedback.
-
|
Yes none of those things are proxy specific, but I think from a practical level they would have more utility at the proxy than at the application - maybe I'm alone thinking that. I have seen those links that you provided covering rate limiting and safe lists which are useful but are narrow in scope. My suggestion is for something broader and is more customizable. To that end I'm putting together a simple rule based middleware that allows for user defined rules in configuration. I plan to create a GitHub repo soon and will share the link here once that happens. Hopefully others will find it useful. |
Beta Was this translation helpful? Give feedback.
-
|
For everyone that is migrating from Ocelot to Yarp, this is high on the wishlist. Implementing client-quota rate limiting was really simple in Ocelot. |
Beta Was this translation helpful? Give feedback.
-
|
See #1776 |
Beta Was this translation helpful? Give feedback.
-
|
I've created a sample project using reverse proxy that implements a basic rules based WAF in middleware at https://github.com/mguinness/KestrelWAF. |
Beta Was this translation helpful? Give feedback.
There's nothing here that would be proxy specific, any ASP.NET Core app could benefit from such components. Here are some similar examples people have already developed:
https://edi.wang/post/2019/6/16/ip-rate-limit-for-aspnet-core
https://docs.microsoft.com/en-us/aspnet/core/security/ip-safelist?view=aspnetcore-5.0
https://damienbod.com/2016/12/18/implementing-a-client-white-list-using-asp-net-core-middleware/