1

I need to add a rule in the firewall so that my self-hosted http web service can receive requests, however whenever I add a rule which specifies the program or service that is doing the hosting, client requests are blocked.

Netstat reveals that the PID listening on that port is 4 (SYSTEM). I do not want to open the entire port for any call to SYSTEM, I would like to restrict the calls to the specific program / service which is performing the hosting. Can anyone provide some insight on how I can accomplish this?

netstat -ano
TCP    0.0.0.0:1234        0.0.0.0:0              LISTENING       4
TCP    [::]:1234              [::]:0              LISTENING       4

Here is a barebone example (actual hosting library was asp.net mvc4 web api, but I have found that it is also true with the original wcf web api and just regular wcf services). I tried opening the service host on its own thread but that had no affect. What is odd is that when I write the PID to the console it is the programs PID but the netstat still reports that it is listening as PID 4.

class Host
{
    private static HelloWorldService service;

    static void Main()
    {
        Thread HostingThread = new Thread(OpenHostingThread);
        HostingThread.Start();

        Console.WriteLine("Server Running...");
        Console.ReadLine();
    }

    static void OpenHostingThread()
    {
        service = new HelloWorldService();
        HttpServiceHost host = new HttpServiceHost(service, "http://localhost:1234");
        host.Open();
        Console.WriteLine(Process.GetCurrentProcess().Id);
    }
}
j0k
  • 22,600
  • 28
  • 79
  • 90
Despertar
  • 21,627
  • 11
  • 81
  • 79

2 Answers2

1

With network sockets, only a single process/thread can listen to a given port, so HTTP.sys enables multiple websites to listen on the same port 80 by intercepting all requests and forwarding them to the appropriate process according to the URI/binding.

How can a WCF service listen the same port as IIS?

WCF without HTTP.SYS

HTTP.sys Article

When you create a Web site, IIS registers the site with HTTP.sys, which then receives any HTTP requests for the site. HTTP.sys functions like a forwarder, sending the Web requests it receives to the request queue for the user-mode process that runs the Web site or Web application. HTTP.sys also sends responses back to the client.

Community
  • 1
  • 1
Despertar
  • 21,627
  • 11
  • 81
  • 79
1

The Web API uses HTTP not TCP as its transport. By default only an administrator is allowed to start listening on HTTP endpoints. If you want another user to do so you need to use netsh on Windows 7/2008 or httpcfg on Windows XP/2003. 

netsh http add urlacl url=http://+:80/MyUri user=DOMAIN\user

See Configuring HTTP and HTTPS

Maurice
  • 27,582
  • 5
  • 49
  • 62
  • It is not the user that it runs under that is the issue. The problem is the process it is listening as. In this case SYSTEM is a process with PID 4. I need it to listen as process that is doing the actual hosting so I can lock down requests to that specific program. I have seen services listening with their own programs PID so I know it is possible but am not sure where or at what level this is configured. – Despertar Mar 27 '12 at 19:23
  • 1
    With HTTP/HTTPS all listening is normally done by a system level sttp.sys. See http://stackoverflow.com/questions/1473248/does-all-http-trafic-go-through-http-sys-on-windows – Maurice Mar 27 '12 at 19:39
  • Thank you for the link, that is helpful. If I use an address such as net.tcp://localhost:1234 then the PID is that of the hosting program, but as the link says, http has to run as system unless you write your own http handler which is discouraged due to security reasons. – Despertar Mar 28 '12 at 23:25
  • Yes with HTTP all listeing is done by a system level process called **http.sys**. In that case your application needs permission to register with **http.sys** and that is done using the **netsh** command. – Maurice Mar 29 '12 at 07:11