Add Health Checks Blocking Rate Limiting feature

Author: hishamco

src/OrchardCoreContrib.HealthChecks/HealthChecksBlockingRateLimitingMiddleware.cs

@@ -0,0 +1,83 @@
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using System.Collections.Concurrent;
+using System.Threading.RateLimiting;
+
+namespace OrchardCoreContrib.HealthChecks;
+
+public class HealthChecksBlockingRateLimitingMiddleware
+{
+    private static readonly ConcurrentDictionary<string, DateTime> _blockedIPs = new();
+
+    private readonly RequestDelegate _next;
+    private readonly HealthChecksOptions _healthChecksOptions;
+    private readonly HealthChecksRateLimitingOptions _healthChecksRateLimitingOptions;
+    private readonly HealthChecksBlockingRateLimitingOptions _healthChecksBlockingRateLimitingOptions;
+    private readonly SlidingWindowRateLimiter _rateLimiter;
+    private readonly ILogger _logger;
+
+    public HealthChecksBlockingRateLimitingMiddleware(
+        RequestDelegate next,
+        IOptions<HealthChecksOptions> healthChecksOptions,
+        IOptions<HealthChecksRateLimitingOptions> healthChecksRateLimitingOptions,
+        IOptions<HealthChecksBlockingRateLimitingOptions> healthChecksBlockingRateLimitingOptions,
+        ILogger<HealthChecksRateLimitingMiddleware> logger)
+    {
+        _next = next;
+        _healthChecksOptions = healthChecksOptions.Value;
+        _healthChecksRateLimitingOptions = healthChecksRateLimitingOptions.Value;
+        _healthChecksBlockingRateLimitingOptions = healthChecksBlockingRateLimitingOptions.Value;
+        _logger = logger;
+        _rateLimiter = new(new SlidingWindowRateLimiterOptions
+        {
+            PermitLimit = _healthChecksRateLimitingOptions.PermitLimit,
+            Window = _healthChecksRateLimitingOptions.Window,
+            SegmentsPerWindow = _healthChecksRateLimitingOptions.SegmentsPerWindow,
+            QueueLimit = _healthChecksRateLimitingOptions.QueueLimit,
+            QueueProcessingOrder = QueueProcessingOrder.OldestFirst
+        });
+    }
+
+    public async Task InvokeAsync(HttpContext context)
+    {
+        if (context.Request.Path.Equals(_healthChecksOptions.Url))
+        {
+            var ip = context.Connection.RemoteIpAddress?.ToString() ?? "Unknown";
+
+            if (_blockedIPs.TryGetValue(ip, out var blockedUntil))
+            {
+                if (DateTime.UtcNow < blockedUntil)
+                {
+                    context.Response.StatusCode = StatusCodes.Status403Forbidden;
+
+                    await context.Response.WriteAsync("Blocked due to excessive requests");
+
+                    return;
+                }
+                else
+                {
+                    _blockedIPs.TryRemove(ip, out _);
+                }
+            }
+
+            var rateLimitLease = _rateLimiter.AttemptAcquire(1);
+
+            if (!rateLimitLease.IsAcquired)
+            {
+                _blockedIPs[ip] = DateTime.UtcNow.Add(_healthChecksBlockingRateLimitingOptions.BlockDuration);
+
+                _logger.LogWarning("Rate limit exceeded for IP Address {RemoteIP}.", context.Connection.RemoteIpAddress);
+
+                context.Response.StatusCode = StatusCodes.Status429TooManyRequests;
+
+                await context.Response.WriteAsync("Too Many Requests.");
+
+                return;
+            }
+        }
+
+        await _next(context);
+    }
+}
+

src/OrchardCoreContrib.HealthChecks/HealthChecksBlockingRateLimitingOptions.cs

@@ -0,0 +1,6 @@
+namespace OrchardCoreContrib.HealthChecks;
+
+public class HealthChecksBlockingRateLimitingOptions : HealthChecksRateLimitingOptions
+{
+    public TimeSpan BlockDuration { get; set; } = TimeSpan.FromMinutes(1);
+}

…ks/HealthCheckIPRestrictionMiddleware.cs …s/HealthChecksIPRestrictionMiddleware.cssrc/OrchardCoreContrib.HealthChecks/HealthCheckIPRestrictionMiddleware.cs renamed to src/OrchardCoreContrib.HealthChecks/HealthChecksIPRestrictionMiddleware.cs src/OrchardCoreContrib.HealthChecks/HealthCheckIPRestrictionMiddleware.cs renamed to src/OrchardCoreContrib.HealthChecks/HealthChecksIPRestrictionMiddleware.cs

@@ -6,11 +6,11 @@
 
 namespace OrchardCoreContrib.HealthChecks;
 
-public class HealthCheckIPRestrictionMiddleware(
+public class HealthChecksIPRestrictionMiddleware(
     RequestDelegate next,
     IShellConfiguration shellConfiguration,
     IOptions<HealthChecksOptions> healthChecksOptions,
-    ILogger<HealthCheckIPRestrictionMiddleware> logger)
+    ILogger<HealthChecksIPRestrictionMiddleware> logger)
 {
     private readonly HealthChecksOptions _healthChecksOptions = healthChecksOptions.Value;
     private readonly HashSet<string> _allowedIPs =

src/OrchardCoreContrib.HealthChecks/HealthChecksRateLimitingMiddleware.cs

@@ -9,6 +9,7 @@ public class HealthChecksRateLimitingMiddleware
 {
     private readonly RequestDelegate _next;
     private readonly HealthChecksOptions _healthChecksOptions;
+    private readonly HealthChecksRateLimitingOptions _healthChecksRateLimitingOptions;
     private readonly SlidingWindowRateLimiter _rateLimiter;
     private readonly ILogger _logger;
 
@@ -18,18 +19,18 @@ public HealthChecksRateLimitingMiddleware(
         IOptions<HealthChecksRateLimitingOptions> healthChecksRateLimitingOptions,
         ILogger<HealthChecksRateLimitingMiddleware> logger)
     {
-        var healthChecksRateLimitingOptionsValue = healthChecksRateLimitingOptions.Value;
+        _next = next;
+        _healthChecksOptions = healthChecksOptions.Value;
+        _healthChecksRateLimitingOptions = healthChecksRateLimitingOptions.Value;
+        _logger = logger;
         _rateLimiter = new(new SlidingWindowRateLimiterOptions
         {
-            PermitLimit = healthChecksRateLimitingOptionsValue.PermitLimit,
-            Window = healthChecksRateLimitingOptionsValue.Window,
-            SegmentsPerWindow = healthChecksRateLimitingOptionsValue.SegmentsPerWindow,
-            QueueLimit = healthChecksRateLimitingOptionsValue.QueueLimit,
+            PermitLimit = _healthChecksRateLimitingOptions.PermitLimit,
+            Window = _healthChecksRateLimitingOptions.Window,
+            SegmentsPerWindow = _healthChecksRateLimitingOptions.SegmentsPerWindow,
+            QueueLimit = _healthChecksRateLimitingOptions.QueueLimit,
             QueueProcessingOrder = QueueProcessingOrder.OldestFirst
         });
-        _next = next;
-        _healthChecksOptions = healthChecksOptions.Value;
-        _logger = logger;
     }
 
     public async Task InvokeAsync(HttpContext context)

src/OrchardCoreContrib.HealthChecks/Manifest.cs

@@ -24,7 +24,14 @@
 
 [assembly: Feature(
     Id = "OrchardCoreContrib.HealthCheck.RateLimiting",
-    Name = "Health Check Rate Limiting",
+    Name = "Health Checks Rate Limiting",
     Description = "Limits requests to health check endpoints to prevent DOS attacks.",
     Dependencies = ["OrchardCoreContrib.HealthChecks"]
 )]
+
+[assembly: Feature(
+    Id = "OrchardCore.HealthCheck.BlockingRateLimiting",
+    Name = "Health Checks Blocking Rate Limiting",
+    Description = "Adds blocking behavior to the health check rate limiter. Clients exceeding the limit are temporarily blocked to prevent DoS attacks.",
+    Dependencies = new[] { "OrchardCoreContrib.HealthCheck.RateLimiting" }
+)]

src/OrchardCoreContrib.HealthChecks/OrchardCoreContrib.HealthChecks.csproj

@@ -26,7 +26,7 @@
 
 	<ItemGroup>
 		<None Include="../../images/icon.png" Pack="true" PackagePath="icon.png" />
-		<None Include="README.md" Pack="true" PackagePath="\"/>
+		<None Include="README.md" Pack="true" PackagePath="\" />
 	</ItemGroup>
 
 	<ItemGroup>

src/OrchardCoreContrib.HealthChecks/Startup.cs

@@ -74,17 +74,30 @@ public class IPRestrictionStartup : StartupBase
     public override int Order => 10;
 
     public override void Configure(IApplicationBuilder app, IEndpointRouteBuilder routes, IServiceProvider serviceProvider)
-        => app.UseMiddleware<HealthCheckIPRestrictionMiddleware>();
+        => app.UseMiddleware<HealthChecksIPRestrictionMiddleware>();
 }
 
 [Feature("OrchardCoreContrib.HealthChecks.RateLimiting")]
 public class RateLimitingStartup(IShellConfiguration shellConfiguration) : StartupBase
 {
-    public override int Order => 20;
+    public override int Order => 30;
 
     public override void ConfigureServices(IServiceCollection services)
         => services.Configure<HealthChecksRateLimitingOptions>(shellConfiguration.GetSection($"{Constants.ConfigurationKey}:RateLimiting"));
 
     public override void Configure(IApplicationBuilder app, IEndpointRouteBuilder routes, IServiceProvider serviceProvider)
         => app.UseMiddleware<HealthChecksRateLimitingMiddleware>();
 }
+
+[Feature("OrchardCoreContrib.HealthChecks.BlockingRateLimiting")]
+public class HealthCheckBlockingRateLimitingStartup(IShellConfiguration shellConfiguration) : StartupBase
+{
+    public override int Order => 20;
+
+    public override void ConfigureServices(IServiceCollection services)
+        => services.Configure<HealthChecksRateLimitingOptions>(shellConfiguration.GetSection($"{Constants.ConfigurationKey}:BlockingRateLimiting"));
+
+    public override void Configure(IApplicationBuilder app, IEndpointRouteBuilder routes, IServiceProvider serviceProvider)
+        => app.UseMiddleware<HealthChecksBlockingRateLimitingMiddleware>();
+}
+

src/OrchardCoreContrib.Modules.Web/appsettings.json

@@ -51,6 +51,13 @@
         "Window": "00:00:10",
         "SegmentsPerWindow": 10,
         "QueueLimit": 0
+      },
+      "BlockingRateLimiting": {
+        "PermitLimit": 5,
+        "Window": "00:00:10",
+        "SegmentsPerWindow": 10,
+        "QueueLimit": 0,
+        "BlockDuration": "00:01:00"
       }
     }
     //"OrchardCoreContrib_Garnet": {

test/OrchardCoreContrib.HealthChecks.Tests/HealthCheckBlockingTests.cs

@@ -0,0 +1,66 @@
+using OrchardCoreContrib.HealthChecks.Tests.Tests;
+using System.Net;
+
+namespace OrchardCoreContrib.HealthChecks.Tests;
+
+public class HealthCheckBlockingTests
+{
+    [Fact]
+    public async Task ExceedingLimit_ShouldBlockIP_ForConfiguredDuration()
+    {
+        // Arrange
+        using var context = new SaasSiteContext();
+
+        await context.InitializeAsync();
+
+        context.Client.DefaultRequestHeaders.Add("X-Forwarded-For", "127.0.0.1");
+
+        HttpResponseMessage response = null;
+
+        // Act
+        for (int i = 1; i <= 6; i++)
+        {
+            response = await context.Client.GetAsync("health");
+        }
+
+        // Assert
+        Assert.Equal(HttpStatusCode.TooManyRequests, response.StatusCode);
+
+        response = await context.Client.GetAsync("health");
+
+        Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
+
+        var body = await response.Content.ReadAsStringAsync();
+
+        Assert.Contains("Blocked due to excessive requests", body);
+    }
+
+    [Fact]
+    public async Task BlockExpires_AfterDuration_AllowsRequestsAgain()
+    {
+        // Arrange
+        using var context = new SaasSiteContext();
+
+        await context.InitializeAsync();
+
+        context.Client.DefaultRequestHeaders.Add("X-Forwarded-For", "127.0.0.1");
+
+        // Act
+        for (int i = 1; i <= 6; i++)
+        {
+            await context.Client.GetAsync("health");
+        }
+
+        var response = await context.Client.GetAsync("health");
+
+        // Assert
+        Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
+
+        // Wait slightly longer than block duration
+        await Task.Delay(TimeSpan.FromSeconds(61));
+
+        response = await context.Client.GetAsync("health");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+    }
+}

test/OrchardCoreContrib.HealthChecks.Tests/HealthChecksMiddlewareOrderTests.cs

@@ -16,18 +16,18 @@ public async Task CorrectOrder_BlockedIp_ShouldReturn403_WithoutConsumingLimit()
         // Act & Assert
         context.Client.DefaultRequestHeaders.Add("X-Forwarded-For", "192.168.1.100");
 
-        var response = await context.Client.GetAsync("health");
+        var httpResponse = await context.Client.GetAsync("health");
 
-        Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
+        Assert.Equal(HttpStatusCode.Forbidden, httpResponse.StatusCode);
 
         context.Client.DefaultRequestHeaders.Remove("X-Forwarded-For");
         context.Client.DefaultRequestHeaders.Add("X-Forwarded-For", "127.0.0.1");
 
         for (int i = 1; i <= 5; i++)
         {
-            var okResponse = await context.Client.GetAsync("health");
+            httpResponse = await context.Client.GetAsync("health");
 
-            Assert.Equal(HttpStatusCode.OK, okResponse.StatusCode);
+            Assert.Equal(HttpStatusCode.OK, httpResponse.StatusCode);
         }
     }
 }