Jump to content

Allow only localhost to connect


itognet
 Share

Recommended Posts

Something like this perhaps.  Add the following to your UniServerModule (and set the HTTPCommand event handler to the below event handler code) to intercept the HTTP request and deny access if not 127.0.0.1.  

 

Note: The UserHostAddress() is not neccesary here for checking 127.0.0.1.  I include it however for interest sake, in the hope that it's instructive, since in the more general case where you want to implement IP Whitelisting and are running behind a reverse proxy server, you would then need to obtain the remote client's IP address (as opposed to the reverse proxy server's IP, which would otherwise always appear to be the immediate "client"/"RemoteIP".)  Hope that makes sense.

function StrIsEmpty(const AInput: string) : boolean;
begin
  Result := Length(Trim(AInput)) = 0;
end;

function StrIsFull(const AInput: string): boolean;
begin
  Result := not StrIsEmpty(AInput);
end;

function UserHostAddress(const ARequest: TIdHTTPRequestInfo): string;
// Modified from http://edn.embarcadero.com/article/40890
// to use Indy TIdHTTPRequestInfo as opposed to WebBroker request object.
// **Modifications not fully tested yet.**
// This is intended to be useful in contexts where UniGUI/Indy server
// may be accessed via reverse proxy and the actual remote user address
// (as opposed to the proxy's host address) is desired to be checked
// against.
var
  lStr: string;
  lParts: TStringDynArray;
  lIndex: Integer;
begin
  lStr := String(ARequest.CustomHeaders.Values['x-forwarded-for']);
  if StrIsFull(lStr) then
  begin
    lParts := SplitString(lStr, ',');
    lIndex := High(lParts);
    while ((lIndex >= Low(lParts)) and (StrIsEmpty(lParts[lIndex]))) do
      Dec(lIndex);
    Result := String(lParts[lIndex]);
  end
  else
    Result := String(ARequest.RemoteIP);
  if Pos(':', Result) > 0 then
    Result := Copy(Result, 1, Pos(':', Result)-1);
end;

procedure TUniServerModule.UniGUIServerModuleHTTPCommand(
  ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo;
  var Handled: Boolean);
var
  UserHostIP : string;
begin
  UserHostIP := UserHostAddress(ARequestInfo);

  if not (UserHostIP = '127.0.0.1') then
  begin
    AResponseInfo.ResponseNo := 403;
    AResponseInfo.ResponseText := 'Access denied.';
    AResponseInfo.ContentType := 'text/plain';
    AResponseInfo.ContentText := 'Access denied. Access only allowed from 127.0.0.1.';
    // Of course you could also emit 401 and demand some other auth here.
    Handled := True;
  end
end;

Hope that helps.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...