search

microsoft / reverse-proxy

A toolkit for developing high-performance HTTP reverse proxy applications.
https://microsoft.github.io/reverse-proxy
MIT License
8.59k stars 842 forks source link

Proxy is hardened so it can directly face the internet #16

Open analogrelay opened 4 years ago

analogrelay commented 4 years ago

We expect several features to be add-ins that plug in as connection middleware. Add a connection middleware to the sample in this repo.

Here's one example from Http2: https://github.com/dotnet/aspnetcore/blob/09bb7b4ca5a4fbde0283c294c35fac8b485c0074/src/Servers/Kestrel/samples/Http2SampleApp/Program.cs#L41-L54

Other things we expect to need to plug into here:

We don't have to write those components as part of this task, just demonstrate that a connection middleware has access to the necessary inputs and controls (e.g. IPs, sniffing the data stream, drop connections, etc.).

Specifically, this involves being able to filter connections based on information contained in the ClientHello TLS frame. Examples include:

Tratcher commented 4 years ago

I did a similar connection middleware component here that we should be able to model this on.

mguinness commented 3 years ago

I know that this is outside the scope of the issue, but it would be great to have some middleware to block traffic. Some simple ones being blocking user agents like curl and GeoIP2 country lookup using MaxMind DB Reader. Not looking to build an IDS/IPS, but some simple tools would be nice. Created Web Application Firewall discussion as suggested.

Tratcher commented 3 years ago

@mguinness I'd suggest moving that question to https://github.com/microsoft/reverse-proxy/discussions.

Blocking like that would be applied at the connection, server, or middleware layer before reaching any of the YARP logic at the routing layer or proxying layers. These scenarios are highly custom and I don't expect we'd be building them as part of the YARP project.

karelz commented 3 years ago

Triage: All is possible using TlsFrameHelper: https://github.com/microsoft/reverse-proxy/blob/main/src/ReverseProxy/Utilities/TlsFrameHelper.cs We should work with users to create deployment cookbook / how tos.

karelz commented 2 years ago

Triage: Review AppService list to identify things that may be general purpose.