| title | author | description | monikerRange | ms.author | ms.custom | ms.date | uid |
|---|---|---|---|---|---|---|---|
Client IP safelist for ASP.NET Core |
damienbod |
Learn how to write middleware or action filters to validate remote IP addresses against a list of approved IP addresses. |
>= aspnetcore-2.1 |
riande |
mvc |
03/12/2020 |
security/ip-safelist |
By Damien Bowden and Tom Dykstra
This article shows three ways to implement an IP address safelist (also known as an allow list) in an ASP.NET Core app. An accompanying sample app demonstrates all three approaches. You can use:
- Middleware to check the remote IP address of every request.
- MVC action filters to check the remote IP address of requests for specific controllers or action methods.
- Razor Pages filters to check the remote IP address of requests for Razor pages.
In each case, a string containing approved client IP addresses is stored in an app setting. The middleware or filter:
- Parses the string into an array.
- Checks if the remote IP address exists in the array.
Access is allowed if the array contains the IP address. Otherwise, an HTTP 403 Forbidden status code is returned.
View or download sample code (how to download)
In the sample app, the IP address safelist is:
- Defined by the
AdminSafeListproperty in theappsettings.jsonfile. - A semicolon-delimited string that may contain both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) addresses.
In the preceding example, the IPv4 addresses of 127.0.0.1 and 192.168.1.5 and the IPv6 loopback address of ::1 (compressed format for 0:0:0:0:0:0:0:1) are allowed.
The Startup.Configure method adds the custom AdminSafeListMiddleware middleware type to the app's request pipeline. The safelist is retrieved with the .NET Core configuration provider and is passed as a constructor parameter.
The middleware parses the string into an array and searches for the remote IP address in the array. If the remote IP address isn't found, the middleware returns HTTP 403 Forbidden. This validation process is bypassed for HTTP GET requests.
If you want safelist-driven access control for specific MVC controllers or action methods, use an action filter. For example:
In Startup.ConfigureServices, add the action filter to the MVC filters collection. In the following example, a ClientIpCheckActionFilter action filter is added. A safelist and a console logger instance are passed as constructor parameters.
:::moniker range=">= aspnetcore-3.0"
:::moniker-end
:::moniker range="<= aspnetcore-2.2"
:::moniker-end
The action filter can then be applied to a controller or action method with the [ServiceFilter] attribute:
In the sample app, the action filter is applied to the controller's Get action method. When you test the app by sending:
-
An HTTP GET request, the
[ServiceFilter]attribute validates the client IP address. If access is allowed to theGetaction method, a variation of the following console output is produced by the action filter and action method:dbug: ClientIpSafelistComponents.Filters.ClientIpCheckActionFilter[0] Remote IpAddress: ::1 dbug: ClientIpAspNetCore.Controllers.ValuesController[0] successful HTTP GET -
An HTTP request verb other than GET, the
AdminSafeListMiddlewaremiddleware validates the client IP address.
If you want safelist-driven access control for a Razor Pages app, use a Razor Pages filter. For example:
In Startup.ConfigureServices, enable the Razor Pages filter by adding it to the MVC filters collection. In the following example, a ClientIpCheckPageFilter Razor Pages filter is added. A safelist and a console logger instance are passed as constructor parameters.
:::moniker range=">= aspnetcore-3.0"
:::moniker-end
:::moniker range="<= aspnetcore-2.2"
:::moniker-end
When the sample app's Index Razor page is requested, the Razor Pages filter validates the client IP address. The filter produces a variation of the following console output:
dbug: ClientIpSafelistComponents.Filters.ClientIpCheckPageFilter[0]
Remote IpAddress: ::1
- xref:fundamentals/middleware/index
- Action filters
- xref:razor-pages/filter