A functional solution for implementing IP whitelists and blacklists using Security Options in .NET 8

[Nikhil-nama]

Hi everyone 👋

Yesterday I faced an issue while trying to configure IP whitelist & blacklist with SecurityOptions in Ocelot v23.4.2 (.NET 8 backend).
The configuration was not working as expected, but after some investigation, I found a working solution.
Add Security Options in Configuration file.

Step 1: Configure SecurityOptions in ocelot.json

The SecurityOptions section in the Ocelot configuration file ocelot.json defines the IP whitelist and blacklist. Here's an updated example with additional notes for clarity:

"SecurityOptions": {
  "IPBlockedList": [ "192.168.0.10" ],
  "IPAllowedList": [ "192.168.0.15" ],
  // Example if you also want localhost:
  // "IPAllowedList": [ "192.168.0.15", "172.16.40.248", "127.0.0.1", "::1" ],
  "ExcludeAllowedFromBlocked": true
}

Key Points:

IPBlockedList: Supports specific IPs (e.g., 192.168.0.10) or CIDR ranges (e.g., 10.0.0.0/24) for blocking entire subnets.

IPAllowedList: Lists trusted IPs or CIDR ranges. Including 127.0.0.1 and ::1 ensures localhost access (IPv4 and IPv6).

ExcludeAllowedFromBlocked: When true, IPs in IPAllowedList are allowed even if they fall within a blocked range in IPBlockedList. Set to false if blocked IPs should take precedence.

Ensure the IPs are valid and correctly formatted to avoid runtime errors.
IPBlockedList → Add CIDR or specific IPs you want to block.

IPAllowedList → Add the trusted IPs you want to whitelist.

ExcludeAllowedFromBlocked = true ensures allowed IPs override the blocked list.

Step 2: Enable Forwarded Headers in "Program.cs"

Here’s an updated "Program.cs" with additional error handling and configuration:

using Microsoft.AspNetCore.HttpOverrides;

var builder = WebApplication.CreateBuilder(args);
var app = builder.Build();

// Enable Forwarded Headers for IP detection
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
    ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
});

app.UseOcelot().Wait();
app.Run();

With this setup, IP blocking and whitelisting started working correctly in my project 🎉

Hopefully this helps anyone else struggling with Security Options in the latest Ocelot. update this.

[raman-m]

Hi Nikhil,

Yesterday I faced an issue while trying to configure IP whitelist & blacklist with SecurityOptions in Ocelot v23.4.2 (.NET 8 backend).

1. If you're using .NET 6 or 7, make sure to upgrade to version 23.4.3 as soon as possible due to the known issue Memory leak in Regex caching logic #2246 in version 23.4.2 ❗
2. If you're using .NET 8 or 9, make sure to upgrade to version 24.0.1 ❗

---

// Enable Forwarded Headers for IP detection
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
    ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
});

Very nice! I think these docs are useful to review:

• Other proxy server and load balancer scenarios | ASP.NET Core | MS Learn

[raman-m]

@Nikhil-nama
I suppose you didn't identify a bug but highlighted a limitation of the security feature that could potentially be improved for private networks aka localhost etc., correct?

@Fabman08
Welcome to review this user story! 😉

P.S.

• SecurityOptions IPAllowedList not blocking IPs outside list (Whitelist not enforced) ocelot version (23.4.2) & .Net version 8 jsakamoto/ipaddressrange#88
  LoL Wrong repo! 😄