diff options
| author | jade <software@lfcode.ca> | 2025-06-03 14:22:30 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-06-03 15:22:30 -0600 |
| commit | 44b5de156886995fdcf881cbc1208505ad0e8b0e (patch) | |
| tree | a9134d5c4ae3d3871259ee82eef3f03b22c1e872 /Jellyfin.Api/Middleware/IpBasedAccessValidationMiddleware.cs | |
| parent | 08b2ffeaabdd2cf716e6c8fe2da744718ba9c0ea (diff) | |
Fix missing logging of connections by disallowed IPs (#14011)
Diffstat (limited to 'Jellyfin.Api/Middleware/IpBasedAccessValidationMiddleware.cs')
| -rw-r--r-- | Jellyfin.Api/Middleware/IpBasedAccessValidationMiddleware.cs | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/Jellyfin.Api/Middleware/IpBasedAccessValidationMiddleware.cs b/Jellyfin.Api/Middleware/IpBasedAccessValidationMiddleware.cs index 842a69dd9..a0ed6c812 100644 --- a/Jellyfin.Api/Middleware/IpBasedAccessValidationMiddleware.cs +++ b/Jellyfin.Api/Middleware/IpBasedAccessValidationMiddleware.cs @@ -1,8 +1,10 @@ using System.Net; using System.Threading.Tasks; +using System.Web; using MediaBrowser.Common.Extensions; using MediaBrowser.Common.Net; using Microsoft.AspNetCore.Http; +using Microsoft.Extensions.Logging; namespace Jellyfin.Api.Middleware; @@ -12,14 +14,17 @@ namespace Jellyfin.Api.Middleware; public class IPBasedAccessValidationMiddleware { private readonly RequestDelegate _next; + private readonly ILogger<IPBasedAccessValidationMiddleware> _logger; /// <summary> /// Initializes a new instance of the <see cref="IPBasedAccessValidationMiddleware"/> class. /// </summary> /// <param name="next">The next delegate in the pipeline.</param> - public IPBasedAccessValidationMiddleware(RequestDelegate next) + /// <param name="logger">The logger to log to.</param> + public IPBasedAccessValidationMiddleware(RequestDelegate next, ILogger<IPBasedAccessValidationMiddleware> logger) { _next = next; + _logger = logger; } /// <summary> @@ -32,16 +37,23 @@ public class IPBasedAccessValidationMiddleware { if (httpContext.IsLocal()) { - // Running locally. + // Accessing from the same machine as the server. await _next(httpContext).ConfigureAwait(false); return; } - var remoteIP = httpContext.Connection.RemoteIpAddress ?? IPAddress.Loopback; + var remoteIP = httpContext.GetNormalizedRemoteIP(); - if (!networkManager.HasRemoteAccess(remoteIP)) + var result = networkManager.ShouldAllowServerAccess(remoteIP); + if (result != RemoteAccessPolicyResult.Allow) { // No access from network, respond with 503 instead of 200. + _logger.LogWarning( + "Blocking request to {Path} by {RemoteIP} due to IP filtering rule, reason: {Reason}", + // url-encode to block log injection + HttpUtility.UrlEncode(httpContext.Request.Path), + remoteIP, + result); httpContext.Response.StatusCode = StatusCodes.Status503ServiceUnavailable; return; } |