;

Disabling specific protocols for WCF services

Posted : Tuesday, 31 December 2013 22:14:00

I’m currently working for a client who host a large number of online integration solutions. For the most part these are .Net IIS applications exposing both intranet and internet endpoints. One such application hosts an intranet-only WCF service and an internet-available SignalR hub – in order to lock down security we needed to lock down access to the WCF service to only those machines within the corporate network so using the netTcp binding was the obvious choice. The problem we needed to solve was how to remove HTTP support from the WCF service but retain support for use by clients accessing the SignalR Hub.

I love WCF and make no secret about it – not everyone shares my opinion I know but the fact that a service can be developed with ease using any appropriate developer environment and all subsequent deployment-time tweaks performed with zero-code change is fantastic – okay there is a bewildering array of configuration options but that's the case in any service orientated architecture so for me its a no brainer to keep that all that noise out of the code. By the way for anyone wanting to learn WCF I would recommend these two titles - Learning WCF: A Hands-on Guide and Programming WCF Services: Mastering WCF and the Azure AppFabric Service Bus - I have them both and have read both numerous times!

Given the degree of flexibility that WCF offers I was fairly sure what we wanted to do was achievable but no amount of Googling,Binging or even old-school book reading gave me the answer. The obvious choice would have been to simple remove the http binding from the IIS application node but doing so would have meant the Hub would become unavailable. After a bit of fiddling around I managed to discover how to do what we needed – it was as simple as adding the following to the web config file of the host application...

<system.serviceModel>
  <behaviors>
    <serviceBehaviors>
      <behavior>
        <serviceMetadata httpGetEnabled="false" httpsGetEnabled="false" />
        <serviceDebug includeExceptionDetailInFaults="false" />
      </behavior>
    </serviceBehaviors>
  </behaviors>
  <protocolMapping>
    <remove scheme="https"/>
    <remove scheme="http"/>
  </protocolMapping>

</system.serviceModel>

The key section is <protocolMapping> – by default any services hosted in an IIS application will support all protocols – adding this configuration step will remove support for HTTP and HTTPS while maintaining support for all other protocols. We have this running in production now where not only is the application more secure but we are getting around 30% performance gain in WCF call times. Okay so it took a while to find but then the obvious way of doing this would be to remove the binding in IIS but in this case that wasn’t an option however WCF still came through for us, you gotta love WCF right?

  • (This will not appear on the site)