1

I'd like to filter out requests coming from blacklisted hosts. I did some research but found nothing reliable (using RemoteIp, for instance, or UserHostAddress).

Let's say my service receives requests from several products. Example:

GET /ping only from ["https://producta.com"]

Product A on https://producta.com/ - ok

Product B on https://anotherurlforb.com - forbidden

Is this feasible?

(I'm currently using ServiceStack and I'm loving it.)

raine
  • 817
  • 1
  • 15
  • 26

2 Answers2

1

On the Request object you can check the ReferrerUrl

Raimond Kuipers
  • 1,146
  • 10
  • 18
  • I think you mean Request.UrlReferrer? See this SO question, http://stackoverflow.com/questions/4258217/getting-the-http-referrer-in-asp-net – BrandonG May 24 '13 at 15:24
  • I'm afraid that doesn't look reliable (something the client may or may not send). I believe I might be tackling this blacklisting problem from a wrong angle. – raine May 25 '13 at 09:57
1

This is something you should do at the network layer to completely block them from reaching your service. If you rely on your service to handle that then you're still exposing yourself to your blacklisted hosts, even if you return a forbidden response.

If you don't control your network but control the web server, and I'll assume you're hosting in IIS, then check out this link on setting up address restrictions in IIS.

http://www.hrzdata.com/node/46

Mike Pugh
  • 6,787
  • 2
  • 27
  • 25
  • I'd agree with your assessment regarding network-level blocking. However, I can see two issues: the same IP might have rights to call /testcallone/ but not /testcalltwo/ (and blocking their IP would prevent them from accessing both); I'm also using ServiceStack's self-hosting in a Windows Service, so I don't think IIS can help. Or can it? – raine May 25 '13 at 10:01
  • So if you're self hosting then you'll need to handle all of the security yourself. Since you say that a host can access one API method but not another, I wouldn't really call it "blacklisting". It just seems like standard access control. Take a look at this discussion https://groups.google.com/forum/#!msg/servicestack/Ttp4bVZsu3c/m3LiReFAi4gJ which also covers the topic of load balancing. – Mike Pugh May 25 '13 at 12:15
  • Come to think of it - you may want to skip the IP based access control for your individual methods and just require your clients to send an API key or some sort of token that they keep secret. That way they can manage their clients (ie, move to another domain, set up a new IP, etc) w/o having to contact you. – Mike Pugh May 25 '13 at 12:59
  • clients authenticate via basic auth + https, that'd be my token. I believe I can provide different users to our customers, each user having specific permissions. After all, avoiding using a full-trust user is their responsibility. Accepting this as the answer - thank you for your "access control" suggestion. – raine May 25 '13 at 16:37