From 620498c41db5a35ee3c44b59b5f02eb6415b5248 Mon Sep 17 00:00:00 2001 From: Kirk Larkin <6025110+serpent5@users.noreply.github.com> Date: Mon, 15 Jul 2019 17:48:23 +0100 Subject: [PATCH] Minor tweaks to "IP Safelist". (#13283) --- aspnetcore/security/ip-safelist.md | 4 ++-- .../samples/2.x/ClientIpAspNetCore/AdminSafeListMiddleware.cs | 3 +-- .../ip-safelist/samples/2.x/ClientIpAspNetCore/Startup.cs | 3 +-- 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/aspnetcore/security/ip-safelist.md b/aspnetcore/security/ip-safelist.md index d973cabe26db..ab4715e12d0e 100644 --- a/aspnetcore/security/ip-safelist.md +++ b/aspnetcore/security/ip-safelist.md @@ -17,7 +17,7 @@ This article shows three ways to implement an IP safelist (also known as a white * Action filters to check the remote IP address of requests for specific controllers or action methods. * Razor Pages filters to check the remote IP address of requests for Razor pages. -The sample app illustrates both approaches. In each case, a string containing approved client IP addresses is stored in an app setting. The middleware or filter parses the string into a list and checks if the remote IP is in the list. If not, an HTTP 403 Forbidden status code is returned. +In each case, a string containing approved client IP addresses is stored in an app setting. The middleware or filter parses the string into a list and checks if the remote IP is in the list. If not, an HTTP 403 Forbidden status code is returned. [View or download sample code](https://github.com/aspnet/AspNetCore.Docs/tree/master/aspnetcore/security/ip-safelist/samples/2.x/ClientIpAspNetCore) ([how to download](xref:index#how-to-download-a-sample)) @@ -31,7 +31,7 @@ The list is configured in the *appsettings.json* file. It's a semicolon-delimite The `Configure` method adds the middleware and passes the safelist string to it in a constructor parameter. -[!code-csharp[](ip-safelist/samples/2.x/ClientIpAspNetCore/Startup.cs?name=snippet_Configure&highlight=7)] +[!code-csharp[](ip-safelist/samples/2.x/ClientIpAspNetCore/Startup.cs?name=snippet_Configure&highlight=10)] The middleware parses the string into an array and looks for the remote IP address in the array. If the remote IP address is not found, the middleware returns HTTP 401 Forbidden. This validation process is bypassed for HTTP Get requests. diff --git a/aspnetcore/security/ip-safelist/samples/2.x/ClientIpAspNetCore/AdminSafeListMiddleware.cs b/aspnetcore/security/ip-safelist/samples/2.x/ClientIpAspNetCore/AdminSafeListMiddleware.cs index 4f6b77f5c606..b7c3211e2dcd 100644 --- a/aspnetcore/security/ip-safelist/samples/2.x/ClientIpAspNetCore/AdminSafeListMiddleware.cs +++ b/aspnetcore/security/ip-safelist/samples/2.x/ClientIpAspNetCore/AdminSafeListMiddleware.cs @@ -49,13 +49,12 @@ public async Task Invoke(HttpContext context) { _logger.LogInformation( $"Forbidden Request from Remote IP address: {remoteIp}"); - context.Response.StatusCode = (int)HttpStatusCode.Forbidden; + context.Response.StatusCode = 401; return; } } await _next.Invoke(context); - } } #endregion diff --git a/aspnetcore/security/ip-safelist/samples/2.x/ClientIpAspNetCore/Startup.cs b/aspnetcore/security/ip-safelist/samples/2.x/ClientIpAspNetCore/Startup.cs index 9e6fe86d9ea6..9dca538df756 100644 --- a/aspnetcore/security/ip-safelist/samples/2.x/ClientIpAspNetCore/Startup.cs +++ b/aspnetcore/security/ip-safelist/samples/2.x/ClientIpAspNetCore/Startup.cs @@ -55,8 +55,7 @@ public void Configure( app.UseStaticFiles(); - app.UseMiddleware( - Configuration["AdminSafeList"]); + app.UseMiddleware(Configuration["AdminSafeList"]); app.UseMvc(); } #endregion