开发者

How to hide my WCF service

开发者 https://www.devze.com 2023-01-26 22:14 出处:网络
I have a WCF service embedded into windows service. It\'s bind to localhost but it also accepts connection from this kind of URL - \"http://ip:port/ServiceName\", how can i hide it from others and all

I have a WCF service embedded into windows service. It's bind to localhost but it also accepts connection from this kind of URL - "http://ip:port/ServiceName", how can i hide it from others and allow connection only from localhost.

Here is my service configuration

<system.serviceModel>
 <behaviors>
  <serviceBehaviors>
     <behavior name="Test.Service.ServiceBehavior">
         <serviceMetadata httpGetEnabled="true" /> 
         <serviceDebug includeExceptionDetailInFaults="true" /> 
     </behavior>
  </serviceBehaviors>
 </behaviors>
 <services>
   <service behaviorConfiguration="Test.Service.ServiceBehavior" name="Test.Service.TestService">
      <endpoint address="localhost" binding="wsHttpBinding" contract="Test.Service.IService">
        <identity>
           <dns value="localhost" /> 
        </identity>
      </endpoint>
      <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" /> 
      <host>
         <baseAddresses>
              <add baseAddress="http://localhost:8732/MyService/service" /> 
         </baseAddresses>
      </host>
  </service开发者_如何学Go>
</services>
</system.serviceModel>


To "hide" it, you need to turn off any meta data exchange, so you need to remove:

<serviceMetadata httpGetEnabled="true" /> 

from your service behaviors, and you need to remove the mex endpoint:

<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" /> 

However, this is only "obscuring" it. To avoid anyone else but localhost to call - why not switch to the netNamedPipeBinding, which is by design "on this machine only" - no outside callers are able to call into that endpoint.

Otherwise, you'd have to check for the caller's IP address and block them based on that information - which however can be spoofed pretty easily....


I would switch to NetNamedPipeBinding - this is inherently local-only, but also avoids a few additional layers, and doesn't require access to any ports (which non-admins don't have by default). This can be done in config using the <netNamedPipeBinding> element.


If you are hosting in IIS, you could just change the site Bindings from "*" to "127.0.0.1"

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号