RequireLocalPort extension for IEndpointConventionBuilder

[goncalo-oliveira]

Background and Motivation

I've found myself in a situation where I needed endpoints responding on different ports. Mainly one for public requests and another for internal requests (health checks for example). To do this I resorted to the .RequireHost extension method and did something similar to this

app.MapHealthChecks( "/healthz" )
    .RequireHost( "*:9001" )
    .AllowAnonymous();

app.MapGet( "/", () =>
{
   // ...
} )
.RequireHost( "*:8080" );

Locally things work properly and so I was surprised when deployed behind a reverse proxy I wasn't able to reach the public endpoint, but was able to reach the health check (internally).

Turns out that RequireHost uses the Host header, which behind a reverse proxy that may be the public host/port and not the one we're listening to. It took me a while to figure this out and it also took me quite a while to figure out how to create a filter to look at the HttpContext.Connection.LocalPort instead.

Proposed API

In addition to better documentation on RequireHost, to clarify whoever is using it, I'd suggest having a RequireLocalPort extension. If I'm not mistaken, previous versions of UseHealthChecks had an optional port argument.

namespace Microsoft.AspNetCore.Builder;

public static class EndpointConventionBuilderLocalExtensions
{
    public static IEndpointConventionBuilder RequireLocalPort( this IEndpointConventionBuilder builder, int port )
        => builder.AddEndpointFilter( async ( context, next ) =>
        {
            if ( context.HttpContext.Connection.LocalPort != port )
            {
                return Results.NotFound();
            }

            return await next( context );
        } );
}

Usage Examples

The code above would be replaced with

app.MapHealthChecks( "/healthz" )
    .RequireLocalPort( 9001 )
    .AllowAnonymous();

app.MapGet( "/", () =>
{
   // ...
} )
.RequireLocalPort( 8080 );

[Tratcher]

Would be useful for YARP dotnet/yarp#1240

[halter73]

Nice suggestion. In many cases the host matching is sufficient, but I can see proxies making that difficult. We'll want to make this a MatcherPolicy rather than an endpoint filter so endpoints with different port requirements don't conflict. For now, another workaround might be to continue using .RequireHost("*:9001"), but add middleware before UseRouting() that sets HttpContext.Request.Host based on the local port.

I wonder if there's a more general feature here. What if you want to discriminate based on the IP address of thenetwork interface the connection came in on? Or named pipe? Maybe the metadata could contain the System.Net.Endpoint that should match the listen socket. That wouldn't work for requests arriving over any interface on a given local port though. If the metadata provided a predicate for the Endpoint, it could work, but that's not very declarative. Do you have thoughts on this @JamesNK?

[JamesNK]

Setting the host header seems like a simple solution.

I don't have any more thoughts off the top of my head. It's been a long time since I wrote host matcher 😄

Hi @goncalo-oliveira. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment. If it is closed, feel free to comment when you are able to provide the additional information and we will re-investigate.

See our Issue Management Policies for more information.