前言本文通过两种方式展示了如何在ASP.NETCore应用中设置IP白名单验证。您可以使用以下2种方式:中间件检查每个请求的远程IP地址。一个MVC操作过滤器,用于检查特定控制器或操作方法请求的远程IP地址。中间件Startup.Configure方法将自定义AdminSafeListMiddleware中间件类型添加到应用程序的请求管道。使用.NETCore配置提供程序检索安全性并作为构造函数参数传递。app.UseMiddleware("127.0.0.1;192.168.1.5;::1");中间件将字符串解析为一个数组,并在该数组中搜索远程IP地址。如果找不到远程IP地址,中间件将返回HTTP403Forbidden。对于HTTPGET请求,将跳过此验证过程。publicclassAdminSafeListMiddleware{privatereadonlyRequestDelegate_next;privatereadonlyILogger_logger;privatereadonlystring_safelist;publicAdminSafeListMiddleware(RequestDelegatenext,ILoggerlogger,stringsafelist){_safelist=safelist;_next=next;_logger=logger;}publicasyncTaskInvoke(HttpContextcontext){if(context.Request.Method!=HttpMethod.Get.Method){varremoteIp=context.Connection.RemoteIpAddress;_logger.LogDebug("RequestfromRemoteIPaddress:{RemoteIp}",remoteIp);string[]ip=_safelist.Split(';');varbytes=remoteIp。GetAddressBytes();varbadIp=true;foreach(varaddressinip){vartestIp=IPAddress.Parse(地址);if(testIp.GetAddressBytes().SequenceEqual(bytes)){badIp=false;break;}}if(badIp){_logger.LogWarning("ForbiddenRequestfromRemoteIPaddress:{RemoteIp}",remoteIp);context.Response.StatusCode=StatusCodes.Status403Forbidden;return;}}await_next.Invoke(context);}}操作筛选器如果需要针特定MVC控制器或操作方法的安全性,使用操作过滤器,例如:。publicclassClientIpCheckActionFilter:ActionFilterAttribute{privatereadonlyILogger_logger;privatereadonlystring_safelist;publicClientIpCheckActionFilter(stringsafelist,ILoggerlogger){_safelist=safelist;_logger=logger;}publicoverridevoidOnActionExecuting(ActionExecutingContextcontext){varremoteIp=context.HttpContext.Connection.RemoteIpAddress;_logger.LogDebug("RemoteIpAddress:{RemoteIp}",remoteIp);varip=_safelist.Split(';');varbadIp=true;if(remoteIp.IsIPv4MappedToIPv6){remoteIp=remoteIp.MapToIPv4();}foreach(varaddressinip){vartestIp=IPAddress.Parse(地址);如果(testIp.Equals(remoteIp)){badIp=false;break;}}if(badIp){_logger.LogWarning("ForbiddenRequestfromIP:{RemoteIp}",remoteIp);context.Result=newStatusCodeResult(StatusCodes.Status403Forbidden);返回;}base.OnActionExecuting(context);}}在Startup.ConfigureServices中,将操作过滤器添加到MVC过滤器集合中。在下面的示例中,ClientIpCheckActionFilter添加了一个操作过滤器。安全日志和控制台记录器实例作为构造函数参数传递。services.AddScoped(container=>{varloggerFactory=container.GetRequiredService();varlogger=loggerFactory.CreateLogger();returnnewClientIpCheckActionFilter("127.0.0.1;192.168.5;::logger",记录器。);});然后可以使用[ServiceFilter]属性将操作过滤器应用于控制器或操作方法:[ServiceFilter(typeof(ClientIpCheckActionFilter))][HttpGet]publicIEnumerableGet()动作方法。当您通过发送以下方式测试您的应用程序时:HTTPGET请求,[ServiceFilter]属性验证客户端IP地址。如果允许访问Get操作方法,则操作过滤器和操作方法将生成以下控制台输出的变体:dbug:ClientIpSafelistComponents.Filters.ClientIpCheckActionFilter[0]RemoteIpAddress:::1dbug:ClientIpAspNetCore.Controllers.ValuesController[0]successfulHTTPGET除GET之外的HTTP请求动词将使用AdminSafeListMiddleware验证客户端IP地址。综上所述,本案可转化为黑名单拦截。
