Add health checks rate limiting feature

Author: hishamco

src/OrchardCoreContrib.HealthChecks/HealthChecksRateLimitingMiddleware.cs

@@ -0,0 +1,55 @@
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using System.Threading.RateLimiting;
+
+namespace OrchardCoreContrib.HealthChecks;
+
+public class HealthChecksRateLimitingMiddleware
+{
+    private readonly RequestDelegate _next;
+    private readonly HealthChecksOptions _healthChecksOptions;
+    private readonly SlidingWindowRateLimiter _rateLimiter;
+    private readonly ILogger _logger;
+
+    public HealthChecksRateLimitingMiddleware(
+        RequestDelegate next,
+        IOptions<HealthChecksOptions> healthChecksOptions,
+        IOptions<HealthChecksRateLimitingOptions> healthChecksRateLimitingOptions,
+        ILogger<HealthChecksRateLimitingMiddleware> logger)
+    {
+        var healthChecksRateLimitingOptionsValue = healthChecksRateLimitingOptions.Value;
+        _rateLimiter = new(new SlidingWindowRateLimiterOptions
+        {
+            PermitLimit = healthChecksRateLimitingOptionsValue.PermitLimit,
+            Window = healthChecksRateLimitingOptionsValue.Window,
+            SegmentsPerWindow = healthChecksRateLimitingOptionsValue.SegmentsPerWindow,
+            QueueLimit = healthChecksRateLimitingOptionsValue.QueueLimit,
+            QueueProcessingOrder = QueueProcessingOrder.OldestFirst
+        });
+        _next = next;
+        _healthChecksOptions = healthChecksOptions.Value;
+        _logger = logger;
+    }
+
+    public async Task InvokeAsync(HttpContext context)
+    {
+        if (context.Request.Path.Equals(_healthChecksOptions.Url))
+        {
+            var rateLimitLease = _rateLimiter.AttemptAcquire(1);
+
+            if (!rateLimitLease.IsAcquired)
+            {
+                _logger.LogWarning("Rate limit exceeded for IP Address {RemoteIP}.", context.Connection.RemoteIpAddress);
+
+                context.Response.StatusCode = StatusCodes.Status429TooManyRequests;
+
+                await context.Response.WriteAsync("Too Many Requests.");
+
+                return;
+            }
+        }
+
+        await _next(context);
+    }
+}

src/OrchardCoreContrib.HealthChecks/HealthChecksRateLimitingOptions.cs

@@ -0,0 +1,13 @@
+namespace OrchardCoreContrib.HealthChecks;
+
+public class HealthChecksRateLimitingOptions
+{
+    public int PermitLimit { get; set; } = 5;
+
+    public TimeSpan Window { get; set; } = TimeSpan.FromSeconds(10);
+
+    public int SegmentsPerWindow { get; set; } = 10;
+
+    public int QueueLimit { get; set; } = 0;
+}
+

src/OrchardCoreContrib.HealthChecks/Manifest.cs

@@ -21,3 +21,10 @@
     Description = "Restricts access to health check endpoints by IP address.",
     Dependencies = [ "OrchardCoreContrib.HealthChecks" ]
 )]
+
+[assembly: Feature(
+    Id = "OrchardCoreContrib.HealthCheck.RateLimiting",
+    Name = "Health Check Rate Limiting",
+    Description = "Limits requests to health check endpoints to prevent DOS attacks.",
+    Dependencies = ["OrchardCoreContrib.HealthChecks"]
+)]

src/OrchardCoreContrib.HealthChecks/Startup.cs

@@ -72,7 +72,15 @@ private static async Task WriteResponse(HttpContext context, HealthReport report
 public class IPRestrictionStartup : StartupBase
 {
     public override void Configure(IApplicationBuilder app, IEndpointRouteBuilder routes, IServiceProvider serviceProvider)
-    {
-        app.UseMiddleware<HealthCheckIPRestrictionMiddleware>();
-    }
+        => app.UseMiddleware<HealthCheckIPRestrictionMiddleware>();
+}
+
+[Feature("OrchardCoreContrib.HealthChecks.RateLimiting")]
+public class RateLimitingStartup(IShellConfiguration shellConfiguration) : StartupBase
+{
+    public override void ConfigureServices(IServiceCollection services)
+        => services.Configure<HealthChecksRateLimitingOptions>(shellConfiguration.GetSection($"{Constants.ConfigurationKey}:RateLimiting"));
+
+    public override void Configure(IApplicationBuilder app, IEndpointRouteBuilder routes, IServiceProvider serviceProvider)
+        => app.UseMiddleware<HealthChecksRateLimitingMiddleware>();
 }

src/OrchardCoreContrib.Modules.Web/appsettings.json

@@ -45,8 +45,14 @@
     "OrchardCoreContrib_HealthChecks": {
       "Url": "/health",
       "ShowDetails": true,
-      "AllowedIPs": [ "127.0.0.1", "::1" ]
-    },
+      "AllowedIPs": [ "127.0.0.1", "::1" ],
+      "RateLimiting": {
+        "PermitLimit": 5,
+        "Window": "00:00:10",
+        "SegmentsPerWindow": 10,
+        "QueueLimit": 0
+      }
+    }
     //"OrchardCoreContrib_Garnet": {
     //  "Host": "127.0.0.1",
     //  "Port": 3278,