2 files changed, 16 insertions, 55 deletions
diff --git a/Jellyfin.Api/Middleware/IpBasedAccessValidationMiddleware.cs b/Jellyfin.Api/Middleware/IpBasedAccessValidationMiddleware.cs
index 842a69dd9..a0ed6c812 100644
--- a/Jellyfin.Api/Middleware/IpBasedAccessValidationMiddleware.cs
+++ b/Jellyfin.Api/Middleware/IpBasedAccessValidationMiddleware.cs
@@ -1,8 +1,10 @@
 using System.Net;
 using System.Threading.Tasks;
+using System.Web;
 using MediaBrowser.Common.Extensions;
 using MediaBrowser.Common.Net;
 using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Logging;
 
 namespace Jellyfin.Api.Middleware;
 
@@ -12,14 +14,17 @@ namespace Jellyfin.Api.Middleware;
 public class IPBasedAccessValidationMiddleware
 {
     private readonly RequestDelegate _next;
+    private readonly ILogger<IPBasedAccessValidationMiddleware> _logger;
 
     /// <summary>
     /// Initializes a new instance of the <see cref="IPBasedAccessValidationMiddleware"/> class.
     /// </summary>
     /// <param name="next">The next delegate in the pipeline.</param>
-    public IPBasedAccessValidationMiddleware(RequestDelegate next)
+    /// <param name="logger">The logger to log to.</param>
+    public IPBasedAccessValidationMiddleware(RequestDelegate next, ILogger<IPBasedAccessValidationMiddleware> logger)
     {
         _next = next;
+        _logger = logger;
     }
 
     /// <summary>
@@ -32,16 +37,23 @@ public class IPBasedAccessValidationMiddleware
     {
         if (httpContext.IsLocal())
         {
-            // Running locally.
+            // Accessing from the same machine as the server.
             await _next(httpContext).ConfigureAwait(false);
             return;
         }
 
-        var remoteIP = httpContext.Connection.RemoteIpAddress ?? IPAddress.Loopback;
+        var remoteIP = httpContext.GetNormalizedRemoteIP();
 
-        if (!networkManager.HasRemoteAccess(remoteIP))
+        var result = networkManager.ShouldAllowServerAccess(remoteIP);
+        if (result != RemoteAccessPolicyResult.Allow)
         {
             // No access from network, respond with 503 instead of 200.
+            _logger.LogWarning(
+                "Blocking request to {Path} by {RemoteIP} due to IP filtering rule, reason: {Reason}",
+                // url-encode to block log injection
+                HttpUtility.UrlEncode(httpContext.Request.Path),
+                remoteIP,
+                result);
             httpContext.Response.StatusCode = StatusCodes.Status503ServiceUnavailable;
             return;
         }
diff --git a/Jellyfin.Api/Middleware/LanFilteringMiddleware.cs b/Jellyfin.Api/Middleware/LanFilteringMiddleware.cs
deleted file mode 100644
index 35b0a1dd0..000000000
--- a/Jellyfin.Api/Middleware/LanFilteringMiddleware.cs
+++ /dev/null
@@ -1,51 +0,0 @@
-using System.Net;
-using System.Threading.Tasks;
-using MediaBrowser.Common.Extensions;
-using MediaBrowser.Common.Net;
-using MediaBrowser.Controller.Configuration;
-using Microsoft.AspNetCore.Http;
-
-namespace Jellyfin.Api.Middleware;
-
-/// <summary>
-/// Validates the LAN host IP based on application configuration.
-/// </summary>
-public class LanFilteringMiddleware
-{
-    private readonly RequestDelegate _next;
-
-    /// <summary>
-    /// Initializes a new instance of the <see cref="LanFilteringMiddleware"/> class.
-    /// </summary>
-    /// <param name="next">The next delegate in the pipeline.</param>
-    public LanFilteringMiddleware(RequestDelegate next)
-    {
-        _next = next;
-    }
-
-    /// <summary>
-    /// Executes the middleware action.
-    /// </summary>
-    /// <param name="httpContext">The current HTTP context.</param>
-    /// <param name="networkManager">The network manager.</param>
-    /// <param name="serverConfigurationManager">The server configuration manager.</param>
-    /// <returns>The async task.</returns>
-    public async Task Invoke(HttpContext httpContext, INetworkManager networkManager, IServerConfigurationManager serverConfigurationManager)
-    {
-        if (serverConfigurationManager.GetNetworkConfiguration().EnableRemoteAccess)
-        {
-            await _next(httpContext).ConfigureAwait(false);
-            return;
-        }
-
-        var host = httpContext.GetNormalizedRemoteIP();
-        if (!networkManager.IsInLocalNetwork(host))
-        {
-            // No access from network, respond with 503 instead of 200.
-            httpContext.Response.StatusCode = StatusCodes.Status503ServiceUnavailable;
-            return;
-        }
-
-        await _next(httpContext).ConfigureAwait(false);
-    }
-}