Skip to content

mguinness/KestrelWAF

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Kestrel WAF

A basic WAF for the Kestrel web server.

Introduction

A web application firewall is software that monitors and blocks HTTP traffic to a web service.

Using Reverse Proxy from Microsoft allows this project to both filter and forward traffic to another server.

This project is an attempt to implement a rules based WAF using ASP.NET Core Middleware.

BRE

Business rules engine is software that executes one or more business rules in a configurable runtime environment.

This provides flexibility to the end user to define rules to control inbound web traffic with little or no programming experience.

Setup

This project uses the Micro Rule Engine based on Expression Trees.

That project README covers the different kinds of expressions that can be used, so I'd encourage you to read that beforehand.

The inclusion of a boolean Negate field has been added to that library, allowing the result of a rule to be inverted which provides further versatility.

Rules will then be defined and stored in the appsettings.json file using ASP.NET Core Configuration options pattern.

An instance of the WebRequest class is created for each request which exposes fields like URL, IP address, user agent etc. for the rules engine to interact with.

Below is a example of different rules that can be defined. In addition rules may be nested for more complex logic.

"Configuration": {
  "Ruleset": {
    "Operator": "OrElse",
    "Rules": [
      {
        "MemberName": "Path",
        "Operator": "EndsWith",
        "Inputs": [ ".php" ]
      },
      {
        "MemberName": "UserAgent",
        "Operator": "IsMatch",
        "TargetValue": "^(curl|java|python)"
      },
      {
        "Operator": "InSubnet",
        "Inputs": [ "192.168.10.0", 24 ],
        "Negate": true
      },
      {
        "Operator": "IpInFile",
        "Inputs": [ "C:\\Temp\\blocklist.txt" ]
      }
    ]
  }
}

When a web request is received and processed by the rules, if any of the above match the request will be rejected and will return a 403 Forbidden status code.

GeoLite2

MaxMind provides free Geolocation data. Register and download the GeoLite2 database and specify the file location in the settings file.

"Configuration": {
  "GeoLiteFile": "C:\\MaxMind\\GeoLite2-Country.mmdb"
}

You will be able to lookup the geographic location of any IP address which will allow you to block requests by country if required.

{
  "MemberName": "IpCountry",
  "Operator": "IsInInput",
  "Inputs": [ "CN", "RU" ]
}

Conclusion

This is a very simple implementation of a WAF, but as you can see it can be expanded upon very easily. Any contributions to this project would be welcomed.

Credits

YARP: A Reverse Proxy https://github.com/microsoft/reverse-proxy

Micro Rule Engine https://github.com/runxc1/MicroRuleEngine

MaxMind DB Reader https://github.com/maxmind/MaxMind-DB-Reader-dotnet