IP Black/White List

[Babis Michael]

Hello,

Is it possible to add a IP Black & White list to the transports ?

Thank you

[kimbomadsen]

Hi,

I assume you mean to allow specific client IPs to connect to the server?

Each transport has its own “ways” to do that.

With Indy 10 request/response transport, you can write an event handler in the server transports OnConnected event:

var
sIP:string;
begin
sIP:=TIdContext(TkbmMWServerTransportInfo(AInfo).Client).Binding.PeerIP;
if YourBlackListFunction(sIP) then
TIdContext(TkbmMWServerTransportInfo(AInfo).Client).Connection.Disconnect;
end;

You can also allow the connection, and let kbmMW’s authorization management block requests except for matching IP addresses:

REST easy with kbmMW #4 – Access management

and the whitepapers in:

Direct access to articles and whitepapers about kbmMW – Loads of pages

Look for the whitepaper “The kbmMW Authorization manager explained.pdf”

You would add a transport constraint (TkbmMWAuthorizationTransportConstraint) to the resulting authorization instance that is returned when you call authorizationmanager.Grant:

var
a:TkbmMWAuthorization;
c:TkbmMWAuthorizationTransportConstraint;
begin
a:=authmgr.Grant(….);
c:=TkbmMWAuthorizationTransportConstraint.Create;
c.RemoteLocations.Add(‘10.10.10.10’); // Authorize this specific IP address for this authorization.
c.RemoteLocations.Add(‘10.10.10.11’); // Authorize this specific IP address for this authorization.
c.RemoteLocations.Add(‘10.10.10.12’); // Authorize this specific IP address for this authorization.
c.RemoteLocationsPrimaryPart:=true; // Only match IP part. If false, will match both and port according to format: IP:Port
a.Constraints.Add(c);
…
end;

You can also setup to allow only access from a specific transport, not allow access if no whitelisted has been provided etc.

But apart from this, I would highly recommend adding a firewall, to ensure the filtering on the earliest possible level.

/Kim

[Babis Michael]

Thanks 🙂

[Author]

Posts