0

I have a project where I am currently serving static files from a .NET Core Web API wwwroot folder. It's using the app.UseStaticFiles() command in startup.cs and it works perfectly fine for serving our SPA front end. However, we have a requirement where we need one controller call open to the internet, while the rest are locked down by IP address. The one thing that I can't seem to figure out is how to prevent the Web API from serving the static files in the wwwroot folder to the internet, as those should only be for internal use.

I know there's already built in middleware to lock controllers down by IP address, and there are plenty of ways to make my own, but I need to specifically prevent the front end SPA in the wwwroot folder from being seen by the internet while having only a few controller calls accessible to the internet.

Is there a way to do this?

AngryDev
  • 119
  • 11
  • The best practice is to hide your web server behide some proxy like nginx and solve it by configuration, your project should focus on busines logic not infrastructure. – Alexey Rumyantsev Apr 12 '21 at 14:45
  • Does [this](https://stackoverflow.com/questions/64166707/protect-certain-folders-in-wwwroot-with-authetication-in-asp-net-core-mvc) help? – AliK Apr 12 '21 at 14:50
  • @AliK I've looked into using that method, I have three files that I need to serve, which is the html, css and javascript. I haven't found a way to be able to send all three files from one controller call, otherwise that would have been a viable solution. – AngryDev Apr 12 '21 at 15:22
  • 1
    You could use this Nuget: https://github.com/dustinmoris/Firewall. It adds configurable middleware with Firewall rules such as allowed IP addresses. You set up rules in the configure of `startup.cs`. You should place `app.UseFirewall();` before your `app.UseStaticFiles()` and also before both of them `app.UseEndpoints()` since you want to restrict only static files to firewall rules. – Michal Rosenbaum Apr 12 '21 at 15:49

1 Answers1

0

I was able to achieve what I needed using the Nuget package mentioned by Michal Rosenbaum. By adding the firewall after the routing and endpoints but before the static files middleware, the firewall will only apply when serving the wwwroot files. As an added bonus, I was able to experiment and figure out how to lock down specific IP addresses from accessing controllers as well (though it's outside of the scope of this answer). Now, the app will no longer serve the SPA to unauthorized IP addresses, but the API can still be accessed externally, which is exactly what I needed.

app.UseEndpoints(endpoints =>
        {
            endpoints
                .MapControllers();
        });

 var firewall =  FirewallRulesEngine
                .DenyAllAccess()
                .ExceptFromLocalhost()
                .ExceptFromIPAddresses(new[] { IPAddress.Parse("192.168.1.3"), IPAddress.Parse("192.168.1.8") });

  app.UseFirewall(firewall);    
  app.UseDefaultFiles();
  app.UseStaticFiles();
AngryDev
  • 119
  • 11