I have a WCF service embedded into windows service. It's bind to localhost but it also accepts connection from this kind of URL - "http://ip:port/ServiceName", how can i hide it from others and allow connection only from localhost.
Here is my service configuration
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="Test.Service.ServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="Test.Service.ServiceBehavior" name="Test.Service.TestService">
<endpoint address="localhost" binding="wsHttpBinding" contract="Test.Service.IService">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="http://localhost:8732/MyService/service" />
</baseAddresses>
</host>
</service开发者_如何学Go>
</services>
</system.serviceModel>
To "hide" it, you need to turn off any meta data exchange, so you need to remove:
<serviceMetadata httpGetEnabled="true" />
from your service behaviors, and you need to remove the mex endpoint:
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
However, this is only "obscuring" it. To avoid anyone else but localhost to call - why not switch to the netNamedPipeBinding
, which is by design "on this machine only" - no outside callers are able to call into that endpoint.
Otherwise, you'd have to check for the caller's IP address and block them based on that information - which however can be spoofed pretty easily....
I would switch to NetNamedPipeBinding
- this is inherently local-only, but also avoids a few additional layers, and doesn't require access to any ports (which non-admins don't have by default). This can be done in config using the <netNamedPipeBinding>
element.
If you are hosting in IIS, you could just change the site Bindings from "*" to "127.0.0.1"
精彩评论