Laravel Middleware - Block IPs using Middleware class

-

When talking about securing the Laravel application, we might also want to restrict IP address to access our application, especially when we have Laravel setup as a Backend server providing data through APIs or web services.

As of today, you might find no. of Laravel package providing IP address restriction functionality but I found it does not make any sense to install a package when it is achieved through only One class. 
Yes! we can just do this with a simple middleware class. 

Let me explain to you little details on how we can achieve it using the Middleware class.

First, let's create a middleware class using the Laravel artisan command:

php artisan make:middleware RestrictIPAddress

It will create a new class in your Laravel project under the `app/Http/Middleware` directory.
It will have a default empty method handle(), where you have to write your logic.

Logic is simple, you just have to get the IP address from where the request is coming. here is the method to get IP from the incoming requests.

private function getRequestingIp(): string
{
    $server = request()->server->all();
    if (isset($server['HTTP_X_FORWARDED_FOR'])) {
        $ip_addresses = explode(',', $server['HTTP_X_FORWARDED_FOR']);
        return trim(end($ip_addresses));
    }
    return $server['REMOTE_ADDR'];
}

Once we got the request source IP, we compare this IP to our list of given IPs and will allow OR restrict the request ahead to application.

Here is one point to note, Restrict IPs can work in both ways, either you Block some IPs or you Allow only some IPs i.e. as per the requirements. So you can use the same middleware class to restrict IPs either by blocking the given list of IPs or Allowing only the given list of IPs.

Here I want to block the given list of IPs, I will check if the requesting IP matches in the given list of IPs, and the request will be blocked and will show the suitable message as a response.
If the requesting IP is not in the given Block IPs list, it will simply be forwarded to the application.

Here is the content of the handle method which is the main method of our middleware class:

public function handle(Request $request, Closure $next)
{
    $this->restrictedIp = explode(',', env('BLOCK_IPs'));
    if (in_array($this->getRequestingIp(), $this->restrictedIp)) {
        return response()->json(['message' => "You are not allowed to access this site."], 403);
    }
    return $next($request);
}

Here I am getting list IPs to block from ENV variables, you can also put them in any config file or in the Middleware class property itself. I preferred ENV to avoid unnecessary deployment just to update the block IPs list.

So our complete Middleware class will look like this:

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;

class RestrictIpAddressMiddleware
{
    private $restrictedIp = [];

    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle(Request $request, Closure $next)
    {
        $this->restrictedIp = explode(',', env('BLOCK_IPs'));
        if (in_array($this->getRequestingIp(), $this->restrictedIp)) {
            return response()->json(['message' => "You are not allowed to access this site."], 403);
        }
        return $next($request);
    }

    private function getRequestingIp(): string
    {
        $server = request()->server->all();
        if (isset($server['HTTP_X_FORWARDED_FOR'])) {
            $ip_addresses = explode(',', $server['HTTP_X_FORWARDED_FOR']);
            return trim(end($ip_addresses));
        }
        return $server['REMOTE_ADDR'];
    }
}


In getRequestingIp() method, i consider $server['HTTP_X_FORWARDED_FOR'] incase the incoming request to forwarded request from inmiddle server or proxy server. otherwise we can get requesting IP simply from $server['REMOTE_ADDR'].

Now you can test this by adding your local machine IP in comma separate Block IPs list stored in ENV variable.

Location: Chandigarh, India
A man with small desires, likes things in simple conditions, loves god creation, feels pleasure to help someone needy.
Professional: Software Developer (PHP) (5+ yrs) with good hands in latest technologies and Frameworks like Laravel Cakephp 3, CodeIgniter, Wordpress, Core PHP, MySQL, PgSql, jQuery.

Comments

Post a Comment

Popular posts from this blog

Using Virtual Columns in Laravel - Accessors and Appends

-
What are virtual columns?  While developing any web application sometimes we need virtual columns - columns don't actually exist in our DB table, but we drive them from other columns. Why we need them? For example, generally, we use first_name and last_name  in the  users table. But sometimes we also need user's complete name i.e. full_name . There is no benefit of saving full_name in user table if we have already first_name and last_name in the table OR even if we have full_name  as a column in our table then there is no benefit of saving first_name and last_name in the table. So in a scenario like this, we prefer to use the virtual column. Using Virtual Columns in Laravel Considering the first case, in Laravel to get virtual column i.e.  full_name  from the users table will have Accessors. Accessors are methods defined automatically called by Eloquent when select is called on that particular column. Let take an example here: To get full_...
Read more

How to Show Cookie Policy Consent or GDPR Popup in Laravel using Cookie.

-
Cookie in Laravel You can use the cookie in Laravel using the Helper method ` cookie() ` or method available with Request/Response Object or `Cookie` facade. $request->cookie('name'); OR use Illuminate\Support\Facades\Cookie; Cookie::get('name'); To get more clarity on how to use the cookie in Laravel with an example to show cookie consent popup on your Laravel website and hide/remove it once you accept the policy. Cookie Policy Consent Popup in Laravel First, create and a Cookie Consent popup as notification to the footer section of your Laravel main blade template file.  <div class="cookies-block">         <h5>This website uses cookies</h5>         <p>We use cookies to improve your experience and deliver personalised content. By using this website, you agree to our <a href="javascript:void()">Cookie Policy</a>.</p>         ...
Read more

Postman Collection Run - How to Test File Uploading API on CircleCi or Jenkins

-
Image
From last couple of days,  I was doing R&D on how we can test file uploading API on CircleCi or Postman collection Run? Finally, I found a way to test the File uploading APIs using the Postman Desktop app  OR Postman CLI collection run. I have also tested this solution, even on CircleCi for running the automated testing postman APIs by Postman CLI collection run. Here is step by step process, how you can test the file uploading API on CircleCi or Postman collection Run? Local Desktop App settings: Open and go to Local Postman app settings -> General Set working directly location  ( default is postman installation directory but can also choose any other directory ) Place files (to use in file upload APIs during the collection run) in the working directory selected as in the above step and also in the root directory of your project. Now go to the API in which you need to upload a file, and select the file from the working directory selected in step 2. Save that ...
Read more