Restricting WCF Service access to only localhost which is hosted using console application

Question

I am very new to WCF.I have a WCF service hosted using a console application but, the WCF needs to be called from a C# webservice hosted on the same machine. So how can I restrict the endpoint access to loopback ip, i.e 127.0.0.1

Right now I can access the WCF service endpoints hosted in a different machine(say 10.X.X.X) .For example I can type http://10.X.X.X/api/v1/getStatus and get the response. This url should be restricted. My requirement is only http://localhost/api/v1/getStatus should be able to fetch the response from the WCF service hosted.

score 0 · Answer 1 · answered Sep 21 '20 at 05:17

0

Depending on your specific scenario you could go with named pipes. https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/choosing-a-transport?redirectedfrom=MSDN

answered Sep 21 '20 at 05:17

Lukasz Nowakowski

321
2
8

Not sure again , but the in the app.config file of the WCF application I could not find anything with pipe. I could see this though - **** so with this how can I restrict to loopback address? – debanka Sep 21 '20 at 05:26
1

Yes, because right now you're using HTTP binding. To go with what I propose you have to change binding configuration. You can take a look at this: https://stackoverflow.com/questions/7353670/wcf-named-pipe-minimal-example (especially answer from VoteCoffee) and try adjusting your server and client configuration accordingly. – Lukasz Nowakowski Sep 21 '20 at 06:29
@debanka adding to Lukasz's answer and comment, named pipes under WCF _[do not work across machines](https://learn.microsoft.com/en-us/dotnet/framework/wcf/samples/netnamedpipebinding)_ which is exactly what you want. Do not get confused with _native_ named pipes which _do_ support a local LAN. Not sure why MS blocked it, possibly to prevent people from using NP over the Internet ;) – Sep 21 '20 at 06:43
@MickyD I still want to go with the existing Http binding. I looked at this (https://stackoverflow.com/questions/722008/can-i-setup-an-ip-filter-for-a-wcf-service/803813#803813) (the answer from Steve) but when I try to do the same I am getting an error , the element **behavior** has invalid child element **IPFilter** . So any thoughts on this how to solve this problem? – debanka Sep 21 '20 at 13:22
@debanka 1) what has the link to do with HTTP? 2) and more importantly why do you want to do that when you just want localhost? It's far easier to just use named pipes because by definition networks are blocked. No need for IP filtering. It makes no difference to your C# code what WCF transport you use whether it be named pipes; HTTP; TCP; or MSMQ. No changes to C# is required. – Sep 22 '20 at 00:40

score 0 · Accepted Answer · answered Sep 22 '20 at 05:19

In the link you gave, IPFilter is a custom node that implements the IDispatchMessageInspector interface to intercept IP. Here is my demo:

   public class ServerMessageLogger : IDispatchMessageInspector
{
    public object AfterReceiveRequest(ref Message request, IClientChannel channel, InstanceContext instanceContext)
    {
        return null;
    }

    public void BeforeSendReply(ref Message reply, object correlationState)
    {
        OperationContext context = OperationContext.Current;
        MessageProperties messageProperties = context.IncomingMessageProperties;
        RemoteEndpointMessageProperty endpointProperty =
          messageProperties[RemoteEndpointMessageProperty.Name] as RemoteEndpointMessageProperty;
        if (endpointProperty.Address.Equals("::1"))
        {
            Console.WriteLine("OK");
        }
        else
        {
            reply = null;
        }
    }
}

We need to implement the IDispatchMessageInspector interface. When the server sends a response to the client, first determine whether the client's IP address is localhost. If it is not localhost, the server will return an empty response.

 [AttributeUsage(AttributeTargets.Interface | AttributeTargets.Class, AllowMultiple = false)]
    public class CustContractBehaviorAttribute : Attribute, IContractBehavior
    {
        public void AddBindingParameters(ContractDescription contractDescription, ServiceEndpoint endpoint, BindingParameterCollection bindingParameters)
        {
            return;
        }

        public void ApplyClientBehavior(ContractDescription contractDescription, ServiceEndpoint endpoint, ClientRuntime clientRuntime)
        {
            return;
        }

        public void ApplyDispatchBehavior(ContractDescription contractDescription, ServiceEndpoint endpoint, DispatchRuntime dispatchRuntime)
        {
            dispatchRuntime.MessageInspectors.Add(new ServerMessageLogger());
        }

        public void Validate(ContractDescription contractDescription, ServiceEndpoint endpoint)
        {
            return;
        }
    }

Then we need to add ServerMessageLogger to the behavior of the service.

Finally, you need to apply CustContractBehavior to the service.

Restricting WCF Service access to only localhost which is hosted using console application

2 Answers2