Add IP restriction health check feature

Author: hishamco

src/OrchardCoreContrib.HealthChecks/HealthCheckIPRestrictionMiddleware.cs

@@ -0,0 +1,37 @@
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using OrchardCore.Environment.Shell.Configuration;
+
+namespace OrchardCoreContrib.HealthChecks;
+
+public class HealthCheckIPRestrictionMiddleware(
+    RequestDelegate next,
+    IShellConfiguration shellConfiguration,
+    IOptions<HealthChecksOptions> healthChecksOptions,
+    ILogger<HealthCheckIPRestrictionMiddleware> logger)
+{
+    private readonly HealthChecksOptions _healthChecksOptions = healthChecksOptions.Value;
+    private readonly HashSet<string> _allowedIPs = shellConfiguration.GetSection($"{Constants.ConfigurationKey}:AllowedIPs")
+        .Get<string[]>()?.ToHashSet() ?? [];
+
+    public async Task InvokeAsync(HttpContext context)
+    {
+        if (context.Request.Path.Equals(_healthChecksOptions.Url))
+        {
+            var remoteIP = context.Connection.RemoteIpAddress?.ToString();
+            if (!_allowedIPs.Contains(remoteIP))
+            {
+                logger.LogWarning("Unauthorized IP {IP} tried to access {HealthCheckEndpoint}.", remoteIP, _healthChecksOptions.Url);
+                context.Response.StatusCode = StatusCodes.Status403Forbidden;
+
+                await context.Response.WriteAsync("Forbidden");
+
+                return;
+            }
+        }
+
+        await next(context);
+    }
+}

src/OrchardCoreContrib.HealthChecks/Manifest.cs

@@ -6,6 +6,18 @@
     Author = ManifestConstants.Author,
     Website = ManifestConstants.Website,
     Version = "1.4.0",
-    Description = "Provides health checks for the website.",
     Category = "Infrastructure"
 )]
+
+[assembly: Feature(
+    Id = "OrchardCoreContrib.HealthChecks",
+    Name = "Health Checks",
+    Description = "Provides health checks for the website."
+)]
+
+[assembly: Feature(
+    Id = "OrchardCoreContrib.HealthChecks.IPRestriction",
+    Name = "Health Checks IP Restriction",
+    Description = "Restricts access to health check endpoints by IP address.",
+    Dependencies = [ "OrchardCoreContrib.HealthChecks" ]
+)]

src/OrchardCoreContrib.HealthChecks/Startup.cs

@@ -12,6 +12,7 @@
 using System.Text.Json;
 
 namespace OrchardCoreContrib.HealthChecks;
+
 public class Startup(IShellConfiguration shellConfiguration) : StartupBase
 {
     private static readonly JsonSerializerOptions _jsonSerializerOptions = new() { WriteIndented = true };
@@ -66,3 +67,12 @@ private static async Task WriteResponse(HttpContext context, HealthReport report
         await context.Response.WriteAsync(JsonSerializer.Serialize(response, response.GetType(), options: _jsonSerializerOptions));
     }
 }
+
+[Feature("OrchardCoreContrib.HealthChecks.IPRestriction")]
+public class IPRestrictionStartup : StartupBase
+{
+    public override void Configure(IApplicationBuilder app, IEndpointRouteBuilder routes, IServiceProvider serviceProvider)
+    {
+        app.UseMiddleware<HealthCheckIPRestrictionMiddleware>();
+    }
+}

src/OrchardCoreContrib.Modules.Web/appsettings.json

@@ -44,7 +44,8 @@
     //},
     //"OrchardCoreContrib_HealthChecks": {
     //  "Url": "/health",
-    //  "ShowDetails": true
+    //  "ShowDetails": true,
+    //  "AllowedIPs": [ "127.0.0.1", "::1", "192.168.1.100" ]
     //},
     //"OrchardCoreContrib_Garnet": {
     //  "Host": "127.0.0.1",