A simple software firewall to ensure incoming HTTP requests conform to a predefined set of rules which may be managed on the fly.
usuages:
- IP Whitelist **
< add key="WebMinder.IpWhitelist.ValidIpRanges" value="127.0.0.1;191.239.187.149|191.239.187.149" > - API Header Key Token Authorisation - SiteMinder.ValidateApiKey() - checks http header key/token match values from config file
- Block requests from a specific IP address when a threshold exceeds (DDOS)
- Dynamically add IP requests to a black list & block future requests from that IP (URL vector attack)
- Ensure request is over SSL (redirect to SSL if otherwise)
** requires SiteMinderModule
<modules>
<add name="SiteMinderModule" type="WebMinder.Core.SiteMinderModule, WebMinder.Core" />
</modules>
call SiteMinder.ValidateApiKey() from global.asax begin request to check the http headers for the matching config values below:
< add key="WebMinder.ApiKeyName" value="ExampleHeaderKeyName"/ >
< add key="WebMinder.ApiKeyValue" value="ExampleHeaderKeyValue"/ >
SiteMinder.RecordBadIpRequest();
(default rule below is for 5 bad request per IP per hour)
// ensure an external service is up before continuing an action
var urlValid = CreateRule<UrlIsValidRule, UrlRequest>
.On<UrlRequest>(url => url.Url = "http://www.externalservice.com/monitoring/api")
.Build();
SiteMinder = RuleMinder.Create()
.WithSslEnabled()
.WithNoSpam(5, TimeSpan.FromHours(1))
.AddRule<CreateRule<UrlIsValidRule, UrlRequest>, UrlIsValidRule, UrlRequest>(() =>
urlValid);
- IpAddress blocker (sample with non fluent creation )
- Redirect to secure urls (site must be SSL)
- Url is valid (checks given url gives a 200 or trips action)
- AggregateRuleSetHandler - using run time arguments, filter the collection & run a predicate to find invalid items
- SingleRuleSetHandler - run a predicate over the collection to determine if its valid
- MaximumCountRuleSetHandler - once the rule set hits this number it will trigger
-- Storage uses the runtime memory cache (or optionally write to an xml file)
-- HttpException 403 thrown by default with RuleSet Error Description
// ip ruleset - disallow more than 20 requests per day from a logged 'failed' request
var rule = new RuleSetHandler<IpAddressRequest>()
{
AggregateRule = ip => ip.Count(a => a.CreatedUtcDateTime >= DateTime.UtcNow.AddDays(-1)) > 20,
AggregateFilter = (data, item) => data.Where(collectionItem => collectionItem.IpAddress == item.IpAddress) // run time application for passed in IRequestRule
};
RuleSetRunner.Instance.AddRule<IpAddressRequest>(rule);
// ip ruleset - disallow a specific IP
var rule = new SingleRuleSetHandler<IpAddress>()
{
Rule = ip => ip.IpAddress == "Some IP we dont want (or could do a range query on it)",
};
RuleSetRunner.Instance.AddRule(rule);
// add items to this rule - once over 50 it will start rejecting requests
var rule = new MaximumCountRuleSetHandler<IpAddress>();
rule.MaximumResultCount = 50;
RuleSetRunner.Instance.AddRule(rule);
SiteMinder.VerifyRule(spamIpAddressCheck);
ruleSetHandler.InvalidAction = () => { throw new DivideByZeroException(ErrorDescription); };
IStorageProvider implementations (defaults to memory)
- MemoryCacheStorageProvider
- XmlFileStorageProvider
see IpAddressBlockerRule.cs
public IpAddressBlockerRule()
{
WriteLog(MyCustomLogFunctionThatMapsToLog4Net);
}
public static void WriteLog(string category, string message)
{
switch (category)
{
case "DEBUG":
WriteLog4NetEvent(message, Level.Debug);
break;
case "INFO":
WriteLog4NetEvent(message, Level.Info);
break;
case "WARNING":
WriteLog4NetEvent(message, Level.Warn);
break;
case "ERROR":
WriteLog4NetEvent(message, Level.Error);
break;
}
}
- SiteMinder
- RuleMinders
- RuleSets (actionable LINQ queries over a custom type rule request)
- Rules
- RuleSets (actionable LINQ queries over a custom type rule request)
