Press "Enter" to skip to content

How to implement IP whitelists in ASP.NET Core 6

When operating with programs in ASP.Internet Core 6, you will normally want to produce an IP handle whitelist to let consumer requests only from certain IP addresses, although blocking requests from all other addresses. We do this to defend our API endpoints from possibly destructive requests from poor actors, whilst at the very same time permitting requests originating from reliable IP addresses.

Also referred to as an IP safelist, an IP whitelist allows to ensure that our application’s delicate details is exposed only to IP addresses that we know and have confidence in. An IP whitelist can be executed in ASP.Internet Main by making use of middleware or by making use of MVC motion filters. This write-up reveals how we can carry out an IP whitelist in ASP.Internet Core 6 by employing middleware.

To do the job with the code illustrations offered in this write-up, you ought to have Visible Studio 2022 set up in your method. If you really do not previously have a duplicate, you can download Visible Studio 2022 here.

Create an ASP.Web Main World-wide-web API project in Visible Studio 2022

Initial off, let us produce an ASP.Internet Core job in Visible Studio 2022. Subsequent these measures will develop a new ASP.Net Core World-wide-web API project in Visible Studio 2022:

  1. Start the Visible Studio 2022 IDE.
  2. Simply click on “Create new undertaking.”
  3. In the “Create new project” window, find “ASP.Internet Core Net API” from the checklist of templates exhibited.
  4. Simply click Future.
  5. In the “Configure your new project” window, specify the title and place for the new job.
  6. Optionally examine the “Place option and challenge in the identical directory” examine box, based on your preferences.
  7. Simply click Upcoming.
  8. In the “Additional Information” window proven following, be certain that the “Use controllers…” check out box is checked. Leave the “Authentication Type” set to “None” (default). And make sure the examine packing containers “Enable Docker,” “Configure for HTTPS,” and “Enable Open up API Support” are unchecked as we won’t be utilizing any of individuals options in this article.
  9. Simply click Develop.

We’ll use this ASP.Net Core 6 World wide web API job to function with IP whitelists in the subsequent sections of this posting.

The Software class in ASP.Web Main 6

Application and Startup are the primary courses for configuring your .Internet applications. Having said that, ASP.Net Main 6 supplies a simplified programming and internet hosting model that gets rid of most of the boilerplate code. You no more time have the Startup course now. Alternatively, you have to write your code to configure the request processing pipeline in the Software course.

When you develop a new ASP.Web Core 6 venture in Visible Studio, the Plan class would search like this:

var builder = WebApplication.CreateBuilder(args)
// Incorporate expert services to the container.
builder.Expert services.AddControllers()
var application = builder.Create()
// Configure the HTTP ask for pipeline.
app.UseAuthorization()
application.MapControllers()
app.Operate()

We’ll use this Application course in the subsequent sections of this article. But 1st we’ll analyze how we can put into action an IP whitelist middleware in ASP.Internet Core 6.

Specify the whitelisted IP addresses in the config file

Specify the following whitelisted IP addresses in the appsettings.json file.

"IPWhitelistOptions": 
    "Whitelist": [ "192.168.0.9", "192.168.1.9", "::1" ]
 

Be aware that these IP addresses have been supplied for illustration reasons only. You must replace these IP addresses with the IP addresses you would like to whitelist.

Now make a new class named IPWhitelistOptions with the following code, which will go through the config values (IP addresses) we just specified.

community course IPWhitelistOptions

   general public Record Whitelist get set

Produce the IPWhitelistMiddleware course

To make our middleware that will whitelist our IP addresses, produce a new course termed IPWhitelistMiddleware with the adhering to code.

public class IPWhitelistMiddleware
    {
        non-public readonly RequestDelegate _next
        private readonly IPWhitelistOptions _iPWhitelistOptions
        private readonly ILogger _logger
        public IPWhitelistMiddleware(RequestDelegate following,
        ILogger logger,
            IOptions applicationOptionsAccessor)
       
            _iPWhitelistOptions = applicationOptionsAccessor.Price
            _subsequent = next
            _logger = logger
       
        general public async Activity Invoke(HttpContext context)
       
            if (context.Ask for.Process != HttpMethod.Get.Technique)
           
                var ipAddress = context.Link.RemoteIpAddress
                Checklist whiteListIPList =
                _iPWhitelistOptions.Whitelist
                var isIPWhitelisted = whiteListIPList
                .Where(ip => IPAddress.Parse(ip)
                .Equals(ipAddress))
                .Any()
                if (!isIPWhitelisted)
               
                    _logger.LogWarning(
                    "Ask for from Remote IP deal with: RemoteIp
                    is forbidden.", ipAddress)
                    context.Response.StatusCode =
                    (int)HttpStatusCode.Forbidden
                    return
               
                        
            await _up coming.Invoke(context)
       
    }

Observe that, in this illustration, whitelisting of IP addresses will function for all HTTP verbs apart from HTTP Get. If you want this whitelist to apply to all HTTP verbs, you can just comment out the pursuing statement in the Invoke strategy.

if (context.Request.Technique != HttpMethod.Get.Method)

In the Invoke system of our middleware, we’re reading through all whitelisted IP addresses in a Checklist of string. If the IP address where by the ask for originated matches a person of the IP addresses in the list, the request is allowed normally the middleware returns HTTP 403 Forbidden and a log information is generated appropriately.

The IPWhitelistMiddlewareExtensions course

Now, develop a course named IPWhitelistMiddlewareExtensions and enter the subsequent code.

 public static course IPWhitelistMiddlewareExtensions
   
        public static IApplicationBuilder UseIPWhitelist(this
        IApplicationBuilder builder)
       
            return builder.UseMiddleware()
       
   

We’ll use our IP whitelist middleware in the System class as illustrated in the following segment.

Configure the IP whitelist middleware in the Program class

You really should configure the IP whitelist middleware in the Software class using the Configure technique of the Services selection, as revealed in the code snippet specified beneath.

builder.Providers.Configure(builder.Configuration.GetSection("IPWhitelistOptions"))

Now, insert the subsequent line of code in the System course to leverage the extension strategy we designed previously.

app.UseIPWhitelist()

Below is how your Application course should glance now:

using IPWhiteListDemo
making use of Procedure.Configuration
var builder = WebApplication.CreateBuilder(args)
builder.Providers.Configure(builder.Configuration.GetSection("IPWhitelistOptions"))
builder.Expert services.AddControllers()
var application = builder.Establish()
app.UseIPWhitelist()
app.UseAuthorization()
application.MapControllers()
app.Operate()

And lastly, operate the software by urgent the F5 vital in Visible Studio. To check the middleware, you can difficulty a HTTP Write-up request from Postman. If your IP tackle matches any of the IP addresses in the whitelist, the request will be allowed. Otherwise, the ask for will be denied and the middleware will return HTTP 403 Forbidden.

Copyright © 2022 IDG Communications, Inc.