• Stars
    star
    1,362
  • Rank 34,505 (Top 0.7 %)
  • Language
    PHP
  • License
    BSD 3-Clause "New...
  • Created about 11 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Firewall package for Laravel applications

Firewall 2.2

Latest Stable Version License Downloads Code Quality Build Coverage StyleCI

Purpose

This a "soft-firewall" package. Its purpose is to help people prevent unauthorized access to routes by IP address. It is able to keep track of IPs, countries and hosts (dynamic ip), and redirect non-authorized users to, for instance, a "Coming Soon" page, while letting whitelisted IPs to have access to the entire site. It is now also able to detect and block attacks (too many requests) from single IPs or whole countries.

This package can prevent some headaches and help you block some access to your apps, but cannot replace firewalls and appliances, for attacks at the network level, you'll still need a real firewall.

Features

  • Control access to routes and groups via black and white lists.
  • Detect and block attacks to your application, from IP addresses or countries.
  • Send Slack notifications in attack events.
  • Allow whitelisted to access the whole site and send everyone else to a "coming soon page".
  • Redirect blacklisted users to some other page.
  • Use database or arrays to store IP lists.
  • Whitelist your development machine using a dynamic DNS host name.
  • Done using middleware, so you can protect/unprotect groups of routes.
  • All features are available for hosts, IP addresses, ranges of IP addresses and whole countries.
  • Super fast, less than 10ms increase in each request.
  • Highly configurable.

Concepts

Blacklist

All IP addresses in those lists will no be able to access routes filtered by the blacklist filter.

Whitelist

Those IP addresses, ranges or countries can

  • Access blacklisted routes even if they are in a range of blacklisted IP addresses.
  • Access 'allow whitelisted' filtered routes.
  • If a route is filtered by the 'allow whitelisted' filter and the IP is not whitelisted, the request will be redirected to an alternative url or route name.

Attack Detection

attack

Firewall is able to detect simple attacks to your page, by counting requests from the same IP or country. Just enable it on your config/firewall.php and, to receive notifications, configure the Slack service in config/services.php:

'slack' => [
    'webhook_url' => env('SLACK_WEBHOOK_URL'),
],

and add the route notification method to your user model:

/**
 * Route notifications for the Slack channel.
 *
 * @return string
 */
public function routeNotificationForSlack()
{
    return config('services.slack.webhook_url');
}

IPs lists

IPs (white and black) lists can be stored in array, files and database. Initially database access to lists is disabled, so, to test your Firewall configuration you can publish the config file and edit the blacklist or whitelist arrays:

'blacklist' => array(
    '127.0.0.1',
    '192.168.17.0/24'
    '127.0.0.1/255.255.255.255'
    '10.0.0.1-10.0.0.255'
    '172.17.*.*'
    'country:br'
    '/usr/bin/firewall/blacklisted.txt',
),

The file (for instance /usr/bin/firewall/blacklisted.txt) must contain one IP, range or file name per line, and, yes, it will search for files recursively, so you can have a file of files if you need:

127.0.0.2
10.0.0.0-10.0.0.100
/tmp/blacklist.txt

Redirecting non-whitelisted IP addresses

Non-whitelisted IP addresses can be blocked or redirected. To configure redirection you'll have to publish the config.php file and configure:

'redirect_non_whitelisted_to' => 'coming/soon',

Artisan Commands

You have access to the following commands:

Global

  firewall:cache:clear  Clear the firewall cache.
  firewall:list         List all IP address, white and blacklisted.
  firewall:updategeoip  Update the GeoIP database.

When database is enabled

  firewall:blacklist          Add an IP address to blacklist.
  firewall:clear              Remove all ip addresses from white and black lists.
  firewall:remove             Remove an IP address from white or black list.
  firewall:whitelist          Add an IP address to whitelist.

Those are results from firewall:list:

+--------------+-----------+-----------+
| IP Address   | Whitelist | Blacklist |
+--------------+-----------+-----------+
| 10.17.12.7   |           |     X     |
| 10.17.12.100 |     X     |           |
| 10.17.12.101 |     X     |           |
| 10.17.12.102 |     X     |           |
| 10.17.12.200 |           |     X     |
+--------------+-----------+-----------+
+-----------------------+-----------+-----------+
| IP Address            | Whitelist | Blacklist |
+-----------------------+-----------+-----------+
| 172.0.0.0-172.0.0.255 |           |     X     |
| country:br            |           |     X     |
| host:mypc.myname.com  |     X     |           |
+-----------------------+-----------+-----------+

Facade

You can also use the Firewall Facade to manage the lists:

$whitelisted = Firewall::isWhitelisted('10.17.12.1');
$blacklisted = Firewall::isBlacklisted('10.0.0.3');

Firewall::whitelist('192.168.1.1');
Firewall::blacklist('10.17.12.1', true); /// true = force in case IP is whitelisted
Firewall::blacklist('127.0.0.0-127.0.0.255');
Firewall::blacklist('200.212.331.0/28');
Firewall::blacklist('country:br');

if (Firewall::whichList($ip) !== false)  // returns false, 'whitelist' or 'blacklist'
{
    Firewall::remove($ip);
}

Return a blocking access response:

return Firewall::blockAccess();

Suspicious events will be (if you wish) logged, so tail it:

php artisan tail

Blocking Whole Countries

You can block a country by, instead of an ip address, pass country:<2-letter ISO code>. So, to block all Brazil's IP addresses, you do:

php artisan firewall:blacklist country:br

You will have to add this requirement to your composer.json file:

"geoip/geoip": "~1.14"

or

"geoip2/geoip2": "~2.0"

You need to enable country search on your firewall.php config file:

'enable_country_search' => true,

And you can schedule this command to update your cities GeoIp database regularly:

php artisan firewall:updategeoip

You can find those codes here: isocodes

Session Blocking

You can block users from accessing some pages only for the current session, by using those methods:

Firewall::whitelistOnSession($ip);
Firewall::blacklistOnSession($ip);
Firewall::removeFromSession($ip);

Playground & Bootstrap App

Click here to see it working and in case you need a help figuring out things, try this repository.

playground

Installation

Compatible with

  • Laravel 4+ (version 1.*)
  • Laravel 5.0, 5.1, 5.2 and 5.3 (version 1.*)
  • Laravel 5.4, 5.5, 5.6 and 5.7 (version 2.*)

Installing

Require the Firewall package using Composer:

composer require pragmarx/firewall
  • Laravel 5.5 and up

    You don't have to do anything else, this package uses Package Auto-Discovery's feature, and should be available as soon as you install it via Composer.

  • Laravel 5.4 and below

    Add the Service Provider and the Facade to your app/config/app.php:

PragmaRX\Firewall\Vendor\Laravel\ServiceProvider::class,
'Firewall' => PragmaRX\Firewall\Vendor\Laravel\Facade::class,

Add middlewares to your app/Http/Kernel.php

protected $routeMiddleware = [
    ...
    'fw-only-whitelisted' => \PragmaRX\Firewall\Middleware\FirewallWhitelist::class,
    'fw-block-blacklisted' => \PragmaRX\Firewall\Middleware\FirewallBlacklist::class,
    'fw-block-attacks' => \PragmaRX\Firewall\Middleware\BlockAttacks::class,
];

or

protected $middlewareGroups = [
    'web' => [
        ...
    ],

    'api' => [
        ...
    ],
    
    'firewall' => [
        \PragmaRX\Firewall\Middleware\FirewallBlacklist::class,
        \PragmaRX\Firewall\Middleware\BlockAttacks::class,
    ],
];

Then you can use them in your routes:

Route::group(['middleware' => 'fw-block-blacklisted'], function () 
{
    Route::get('/', 'HomeController@index');
});

Or you could use both. In the following example the allow group will give free access to the 'coming soon' page and block or just redirect non-whitelisted IP addresses to another, while still blocking access to the blacklisted ones.

Route::group(['middleware' => 'fw-block-blacklisted'], function () 
{
    Route::get('coming/soon', function()
    {
        return "We are about to launch, please come back in a few days.";
    });

    Route::group(['middleware' => 'fw-only-whitelisted'], function () 
    {
        Route::get('/', 'HomeController@index');
    });
});

Note: You can add other middleware you have already created to the new groups by simply adding it to the fw-allow-wl or fw-block-bl middleware group.

Migrate your database

php artisan migrate

Warning: If you already have a Firewall package installed and migrated, you need to update your migration name, in the migrations table, to 2014_02_01_311070_create_firewall_table, otherwise the migrate command will fail tell you the table already exists.

To publish the configuration file you'll have to:

Laravel 4

php artisan config:publish pragmarx/firewall

Laravel 5

php artisan vendor:publish --provider="PragmaRX\Firewall\Vendor\Laravel\ServiceProvider"

TODO

  • Tests, tests, tests.

Author

Antonio Carlos Ribeiro

License

Firewall is licensed under the BSD 3-Clause License - see the LICENSE file for details

Contributing

Pull requests and issues are more than welcome.

More Repositories

1

tracker

Laravel Stats Tracker
PHP
2,824
star
2

health

Laravel Health Panel
PHP
1,879
star
3

countries

Laravel countries and currencies
PHP
1,741
star
4

google2fa

A One Time Password Authentication package, compatible with Google Authenticator.
PHP
1,684
star
5

google2fa-laravel

A One Time Password Authentication package, compatible with Google Authenticator for Laravel
PHP
825
star
6

tddd

A Laravel Continuous Integration Package
Vue
727
star
7

version

Laravel App versioning
PHP
565
star
8

laravelcs

Laravel PHP_CodeSniffer
PHP
236
star
9

deeployer

Deploy your Laravel applications via Github or Bitbucket Hooks
PHP
146
star
10

countries-laravel

Countries for Laravel
PHP
141
star
11

yaml

A Laravel YAML parser and config loader
PHP
110
star
12

zipcode

Zip code searcher
PHP
97
star
13

steroids

Laravel 4 Blade on Steroids
PHP
95
star
14

coollection

Laravel Collection Objectified
PHP
87
star
15

google2fa-qrcode

QRCode for Google2FA
PHP
84
star
16

recovery

Create recovery/backup codes for 2FA
PHP
72
star
17

random

Generate random strings or numeric values
PHP
70
star
18

glottos

A PHP 5.3+ Translation/Localization System
PHP
69
star
19

sqli

A Laravel Artisan SQL Interactive Interface
PHP
60
star
20

support

Support Classes
PHP
58
star
21

ia-arr

Laravel Illuminate Agnostic Arr
PHP
49
star
22

ia-str

Laravel Illuminate Agnostic Str
PHP
46
star
23

ia-collection

Laravel Illuminate Agnostic Collection
PHP
43
star
24

artisan-anywhere

Execute Artisan from anywhere in your Laravel project tree
43
star
25

dev-box

Development Box Provisioning in Ansible
Shell
41
star
26

artisan-tool

Nova Artisan Tool
PHP
35
star
27

glottosAdmin

Glottos Admin Panel and Starter
JavaScript
27
star
28

laravel-installer

Laravel Framework Installer Script for Unlix-Like Systems
Shell
26
star
29

google2fa-starter

Google2FA Starter App
PHP
26
star
30

tddd-starter

Laravel TDDD Starter App
PHP
23
star
31

nova-boolean-datetime-field

A Laravel Nova Boolean DateTime field
PHP
20
star
32

skel

A PHP Package Creator & Skeleton
Shell
12
star
33

health-docker

App Health Panel for Docker Environments
PHP
8
star
34

google2fa-php

A One Time Password Authentication PHP class, compatible with Google Authenticator
PHP
6
star
35

lumen-image-processor

Lumen Image Processor
PHP
5
star
36

http-basic-auth

HTTP Basic Auth middleware for Laravel
Shell
3
star
37

trivia

Trivia database
PHP
3
star
38

vanhack-agentbot

Vanhack Agent Bot
PHP
3
star
39

pragmarx.com

Source of pragmarx.com
PHP
3
star
40

zsh

zsh
Shell
3
star
41

backup-server

backup-server
PHP
3
star
42

googleforms

Post to Google Form Spreadsheets
PHP
2
star
43

sdk

sdk
PHP
1
star
44

fluxbb-style

The FluxBB style for the Laravel forums.
1
star
45

core-libraries

core libraries
PHP
1
star
46

veveystore

Vevey Store
HTML
1
star
47

a17ex

Area 17 Exercice
PHP
1
star
48

church.api

Church API
PHP
1
star