Uploaded image for project: 'Axis2-C'
  1. Axis2-C
  2. AXIS2C-1484

Allow servers to bind to custom address only instead of INADDR_ANY

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.6.0
    • None
    • core/receivers

    Description

      Hi all!

      I have implemented this without major problems but have a few questions
      first:
      Process:

      • I'd open a jira entry in axis2c, describe the initial use case + the
        solution, attach the patches
      • now, which area is most appropriate? I looked at the existing ones
        and thought about "core.receivers" as it applies to http, tcp, ...?
      • I guess, the Axis2c dev mailing list is more appropriate ... ?

      Design + Implementation:

      • we have to extend axutil_network_handler_create_server_socket()
        which is being called (what I have found)

      axis2_http_server_start()
      axis2_http_svr_thread_create()
      axutil_network_handler_create_server_socket()

      (same for TCP and in addition there is one more reference
      in ./tools/tcpmon/src/session.c)

      • Now, normally I'd follow the goal to keep exposed APIs unchanged if
        possible - the APIs we'd need to change in any case are
      • axutil_network_handler_create_server_socket()
      • axis2_http_svr_thread_create()
        Question: Are these exposed and/or used by API programmers?
      • Second, how to configure the listen address?
        Ideally, I'd like to do it the same was as the server port:
      • by API, e.g. axis2_http_server_create() and/or
      • by axis2.xml
      • The axis2.xml-way is not a problem, but regarding the API-way I
        have another question:
      • we must not to change the existing axis2_http_server_create*()
        interfaces
      • therefore the only way would be to add 2 more calls, e.g.
        axis2_http_server_create_with_addr(env, repo, addr, port)
        which makes then 4 on them -> not very nice
      • Alternatively, what I have done now, is to add a function
        axis2_http_server_set_addr(transpRecv, addr, env)
        which, if not called, retains the current behavior. If called
        right after axis2_http_server_create() and before
        axis2_transport_receiver_start(), it does the trick
      • Now, which one do you believe is better?

      Example:

      server = axis2_http_server_create(env, repo, port);
      axis2_http_server_set_addr(server, "127.0.0.1", env);
      axis2_transport_receiver_start(server, env);

      Patch files are attached for a first review
      I have done it for HTTP only in a first attempt, but TCP would be
      exactly the same.

      Finally, in network_handler.c are a few other functions which I saw also
      bind to hard-coded INADDR_ANY - however I did not check, where they are
      called from ...

      Rgds,
      tge

      PS: Yes, the use case is that I want to have the chance to restrict
      access to my SOAP server to local clients only (in a configurable way).
      A user of my app may want this ...

      On Mon, 2010-06-14 at 15:18 +0530, Damitha Kumarage wrote:
      > Thomas Gentsch wrote:
      > > Hi Damitha,
      > >
      > > many thx for your fast reply! Also, when re-reading my posting, it
      > > sounded a bit like a complaint - this was not my intention, sorry for
      > > that!
      > >
      > > Technically, yes, this would be for security reasons, to protect a
      > > server from remote access entirely.
      > >
      > This means you have a use case where you use the server internally
      > entirely?
      > > The advantages I see
      > > - very simple config + implementation (extending
      > > axutil_network_handler_create_server_socket should be no major problem,
      > > however I did not look at the calling code yet ...
      > > - all config is in my own hands whereas setting up a firewall I have to
      > > ask other people (-> also a risk of breaking something)
      > >
      > > If I can formulate a wish, I'd prefer a way to set this programmatically
      > > similar to the port in axis2_http_server_create_*() but probably
      > > axis2.xml would be a nice place too (like "port").
      > >
      > I think it is better to pass a server start parameter like -i (run
      > server internally) to do that.
      > > If you feel, this would help, I'm happy to contribute.
      > >
      > Please send a patch.
      > Thanks,
      > Damitha
      > > Many thx + best regards,
      > > tge
      > >
      > > On Mon, 2010-06-14 at 09:24 +0530, Damitha Kumarage wrote:
      > >
      > >> Thomas Gentsch wrote:
      > >>
      > >>> Hello there,
      > >>>
      > >>> I was trying to find out whether there is any way to set up a SOAP
      > >>> server to listen only at 127.0.0.1 instead of * but could not find any
      > >>> to do this.
      > >>> Even worse, looking at the source in
      > >>> axutil_network_handler_create_server_socket() which appears to be the
      > >>> place, where this would happen, it seems as is this is not possible at
      > >>> all.
      > >>>
      > >>>
      > >> The simple reason you need your server only listen to 127.0.0.1 must be
      > >> security.
      > >> But you can configure firewall to prevent access to port on all IPs
      > >> other than 127.0.0.1.
      > >> If this option is necessary we can implement it in
      > >> axutil_network_handler_create_server_socket()
      > >> as you suggested.
      > >>
      > >> Thanks,
      > >> Damitha
      > >>
      > >>> Am I missing something? If this is really the case, are there any plans
      > >>> to add this?
      > >>>
      > >>> Many thx + regards,
      > >>> tge

      Attachments

        1. patches.tar.gz
          3 kB
          Thomas Gentsch

        Activity

          People

            Unassigned Unassigned
            tge Thomas Gentsch
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated: