NetTalk Central

Author Topic: Limit IP Address that can connect to NT Web Server?  (Read 3285 times)

jking

  • Sr. Member
  • ****
  • Posts: 419
    • View Profile
    • Email
Limit IP Address that can connect to NT Web Server?
« on: May 18, 2021, 09:37:06 AM »
     A client has asked that access to a NT 11.24 Web Server be restricted to just a few specific IP Address.  I believe this is best handled at the router/firewall but I will have very limited access to the physical server.  So, how can I do this in my NT web server app itself?

Thanks,

Jeff King

Richard I

  • Sr. Member
  • ****
  • Posts: 400
    • View Profile
    • Email
Re: Limit IP Address that can connect to NT Web Server?
« Reply #1 on: May 18, 2021, 06:08:22 PM »
I do this on the Login Form-
ValidateUpdate
2Start

IF  p_web.GSV('IPAccessControl') = 1     !perform an IP check
    SET(AbuseIPAddress)
    Access:AbuseIPAddress.usefile
    SET(IPAddress)
    Access:IPAddress.usefile
    IPA:IPNumber =  p_Web.getsessionIP()
    IF access:IPAddress.Tryfetch(IPA:ByIPNumber) = Level:Benign and p_web.GetValue('hash') =
    p_web.GetSessionValue('hash')
    IF p_web.GSV('DisplayStops') = 1 THEN loc:alert = 'Known IP Address'  END   
    ELSE
    IF  p_Web.GSV('AllowNewIP') = 1 !allows the insert of new permitted IP address, otherwise fails
            IPA:IPNumber =  p_Web.getsessionIP()
            Access:IPAddress.TryInsert()
            IF p_web.GSV('DisplayStops') = 1 THEN loc:alert = 'This New  IP Address has been added to the
          database' END   
    END
    IF  p_Web.GSV('AllowNewIP') = 0           
            AIPA:Password = lPassword
            AIPA:IPNumber = IPA:IPNumber
            AIPA:Time = Clock()
            AIPA:Date = today()
            IF Access:AbuseIPAddress.TryInsert() = level:benign
               IF p_web.GSV('DisplayStops') = 1 THEN loc:alert = 'lPassword = ' &lPassword &  'IPA:IPNumber = 
            ' & IPA:IPNumber  END
            END
            loc:Alert = 'Login Failed. Wrong Location..'
            CLEAR(lPassword)   
            loc:invalid = 'lPassword'
            p_web.SetValue('retry','LoginForm')
            loc:Alert = 'Login Failed. Wrong Location..'
            lpassword = ''           
            CLEAR(lPassword)
            p_web.SetValue('lPassword','')
            display()
            loc:Alert = 'Login Failed. Wrong Location..'
            EXIT
        END
    END
END

May not be the best or the most elegant, but it works for me
Cheers
Richard
« Last Edit: May 18, 2021, 09:15:22 PM by Richard I »

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: Limit IP Address that can connect to NT Web Server?
« Reply #2 on: May 18, 2021, 09:23:04 PM »
>>      A client has asked that access to a NT 11.24 Web Server be restricted to just a few specific IP Address.  I believe this is best handled at the router/firewall but I will have very limited access to the physical server.  So, how can I do this in my NT web server app itself?

It largely depends on what you mean by "a few". Bearing in mind that you need to do this test for every single incoming request, and hence there is a performance penalty to be paid by valid users for each and every single request.

For maximum performance the list should be as small as possible - and I recommend using a queue (ie in memory). Going to disk would be slow. You could load the queue from JSON and then edit the JSON file directly in notepad if you wanted to add more items. (A reload button on the server window would reload it on demand after editing.)

The best place to do the check is in the webServer procedure, so the queue can be local to that procedure, and hence threadsafe.
Put this code in the .Process method, before the parent call.

  if self.packet.PacketType = NET:SimpleNewConnection
     if self.packet.FromIP not in approved list then
        self.closeServerConnection(self.packet.OnSocket,self.packet.SockID)
        return
     end
  end

I'll leave you do define the queue, populate it, and do the appropriate code to test the list against self.packet.fromIP

Cheers
Bruce