Cloudflare Authenticated Origin 拉取 Kestrel Web 服务器 (Linux) [英] Cloudflare Authenticated Origin Pulls With Kestrel Web Server(Linux)
问题描述
我已尝试在 Kestrel 服务器上设置 Authenticated Origin Pulls 并阻止通过 IP 地址直接访问其余 API,但仍允许通过直接 IP 访问.
I have tried to setup Authenticated Origin Pulls on Kestrel Server and block direct access to the rest API via IP address but still allows access via Direct IP.
appsetting.json
appsetting.json
{
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Hosting.Lifetime": "Information"
}
},
"AllowedHosts": "*",
"Kestrel": {
"HttpsDefaults": {
"ClientCertificateMode": "RequireCertificate"
},
"Endpoints": {
"Https": {
"Url": "https://*:443",
"Certificate": {
"Path": "/home/ubuntu/domain.name.pfx",
"Password": "12345",
"AllowInvalid": false
}
}
}
}
}
MyCertificateValidationService.cs
MyCertificateValidationService.cs
using System.IO;
using System.Security.Cryptography.X509Certificates;
public class MyCertificateValidationService
{
public bool ValidateCertificate(X509Certificate2 clientCertificate)
{
var cert = new X509Certificate2("/home/ubuntu/cloudflare.pfx", "12345");
return clientCertificate.Thumbprint == cert.Thumbprint;
}
}
程序.cs
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Server.Kestrel.Core;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
namespace ClientCertificateCheck
{
public class Program
{
public static void Main(string[] args)
{
CreateHostBuilder(args).Build().Run();
}
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args).ConfigureServices((context, services) =>
{
services.Configure<KestrelServerOptions>(
context.Configuration.GetSection("Kestrel"));
})
.ConfigureWebHostDefaults(webBuilder => { webBuilder.UseStartup<Startup>(); });
}
}
Startup.cs
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication.Certificate;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Server.Kestrel.Core;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
namespace ClientCertificateCheck
{
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
services.AddAuthentication(
CertificateAuthenticationDefaults.AuthenticationScheme)
.AddCertificate(options =>
{
options.Events = new CertificateAuthenticationEvents
{
OnCertificateValidated = context =>
{
var validationService = context.HttpContext.RequestServices
.GetService<MyCertificateValidationService>();
if (validationService.ValidateCertificate(context.ClientCertificate))
{
context.Success();
}
else
{
context.Fail("invalid cert");
}
return Task.CompletedTask;
},
OnAuthenticationFailed = context =>
{
context.Fail("invalid cert");
return Task.CompletedTask;
}
};
});
services.Configure<KestrelServerOptions>(
Configuration.GetSection("Kestrel"));
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseHttpsRedirection();
app.UseRouting();
app.UseCertificateForwarding();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints => { endpoints.MapControllers(); });
}
}
}
即使经过上述设置,当我通过域访问它时一切正常,但是当我从 IP 地址访问它时,访问实际上应该被阻止,我应该收到 invalid cert 消息.无法确定我哪里出错了.
even after above setup when I access it via domain it goes all good but when I access it from IP address access should be actually blocked and I should be receiving invalid cert Message. Not able to identify where I am going wrong in this.
我不愿意使用任何像 nginx 或 apache2 这样的反向代理,我只想使用 Kestrel 来实现这一点.
Edited: I am not willing to use any reverse proxy like nginx or apache2 I want to achieve this using Kestrel only.
推荐答案
不确定您使用的是哪个版本的内核,但适用于 5.0
Not sure what version of core your are using but for 5.0
Kestrel 支持配置中定义的 SNI.可以使用 Sni 对象配置端点,该对象包含主机名和 HTTPS 选项之间的映射.连接主机名与选项匹配,它们用于该连接.
Kestrel supports SNI defined in configuration. An endpoint can be configured with an Sni object that contains a mapping between host names and HTTPS options. The connection host name is matched to the options and they are used for that connection.
下面的配置添加了一个名为 MySniEndpoint 的端点,它使用 SNI 根据主机名选择 HTTPS 选项
The following configuration adds an endpoint named MySniEndpoint that uses SNI to select HTTPS options based on the host name
{
"Kestrel": {
"Endpoints": {
"MySniEndpoint": {
"Url": "https://*",
"SslProtocols": ["Tls11", "Tls12"],
"Sni": {
"a.example.org": {
"Protocols": "Http1AndHttp2",
"SslProtocols": ["Tls11", "Tls12", "Tls13"],
"Certificate": {
"Subject": "<subject; required>",
"Store": "<certificate store; required>",
},
"ClientCertificateMode" : "NoCertificate"
},
"*.example.org": {
"Certificate": {
"Path": "<path to .pfx file>",
"Password": "<certificate password>"
}
},
"*": {
// At least one subproperty needs to exist per SNI section or it
// cannot be discovered via IConfiguration
"Protocols": "Http1",
}
}
}
},
"Certificates": {
"Default": {
"Path": "<path to .pfx file>",
"Password": "<certificate password>"
}
}
}
}
这篇关于Cloudflare Authenticated Origin 拉取 Kestrel Web 服务器 (Linux)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
