Proxy is hardened so it can directly face the internet #16
Comments
karelz
changed the title
|
I did a similar connection middleware component here that we should be able to model this on. |
samsp-msft
changed the title
|
I know that this is outside the scope of the issue, but it would be great to have some middleware to block traffic. Some simple ones being blocking user agents like curl and GeoIP2 country lookup using MaxMind DB Reader. Not looking to build an IDS/IPS, but some simple tools would be nice. Created Web Application Firewall discussion as suggested. |
|
@mguinness I'd suggest moving that question to https://github.com/microsoft/reverse-proxy/discussions. Blocking like that would be applied at the connection, server, or middleware layer before reaching any of the YARP logic at the routing layer or proxying layers. These scenarios are highly custom and I don't expect we'd be building them as part of the YARP project. |
karelz
added
Deployment cookbook
|
Triage: All is possible using TlsFrameHelper: https://github.com/microsoft/reverse-proxy/blob/main/src/ReverseProxy/Utilities/TlsFrameHelper.cs |
|
Triage: Review AppService list to identify things that may be general purpose. |
We expect several features to be add-ins that plug in as connection middleware. Add a connection middleware to the sample in this repo.
Here's one example from Http2:
https://github.com/dotnet/aspnetcore/blob/09bb7b4ca5a4fbde0283c294c35fac8b485c0074/src/Servers/Kestrel/samples/Http2SampleApp/Program.cs#L41-L54
Other things we expect to need to plug into here:
We don't have to write those components as part of this task, just demonstrate that a connection middleware has access to the necessary inputs and controls (e.g. IPs, sniffing the data stream, drop connections, etc.).
Specifically, this involves being able to filter connections based on information contained in the ClientHello TLS frame. Examples include:
The text was updated successfully, but these errors were encountered: