[Libwebsockets] Filtering on client IP

Andy Green andy at warmcat.com
Thu Feb 23 08:04:43 CET 2017

On February 23, 2017 3:41:52 PM GMT+09:00, Thomas Spitz <thomas.spitz at hestia-france.com> wrote:
>Hello Andy, hello everyone,
>I want to filter access to my application according to the IP source of
>My application use both WSS and HTTP "protocol" therefore I would like
>filter access before lws switches to either WSS or HTTP "protocol".

I dunno if it matters but really he is always starting from http.  He may switch to ws or stay in http.

>Thus I tried to filter access in callback_http_dummy -> case
> using ws_get_peer_simple(wsi,
>sizeof(buf)) but at that stage I get:
> lwsts[3404]: getpeername: Transport endpoint is not connected
>whereas the same function gives the correct client IP when run in my
>WSS or
>HTTP "protocol" callback...

This callback happens even before the incoming connection has been accepted... or hooked up to the wsi (since it's not accepted).

The accept fd is passed as *in

			if ((wsi->vhost->protocols[0].callback)(wsi,
					NULL, (void *)(long)accept_fd, 0)) {

You can try calling getpeername() on that you should get a better result.

This callback gives you a super early chance to defeat any shenanigans, even before accepting the connection.

If you can wait a little longer there's another callback LWS_CALLBACK_SERVER_NEW_CLIENT_INSTANTIATED just after the accept and attaching the socket to the wsi.  Sothat one should act as you were imagining.

>I'm also surprised that case LWS_CALLBACK_FILTER_NETWORK_CONNECTION is
>never triggered in my WSS or HTTP "protocol" callbacks.

Mm at that point there has been no negotiation, so there is no ws subprotocol.  Image you handled two or ten ws protocols in the server... which would get the callback at that point?  The upgrade request from the client mentioing which he wants to talk has not been received yet.

So in these cases a default protocol handler gets these kind of callback, usually protocols[0].


>Thanks again for this great library!
>Best regards,
>Hestia France S.A.S
>*Fabricant de systèmes domotiques et d'alarme pour l'habitat et le
>*Manufacturer of Home and Building Management System* *including alarm
>2, rue du Zécart - 59242 Templeuve - France
>Tel: +33 (0)3 20 04 43 68 - Portable: +33 (0)6 26 87 13 93 - ID Skype:
>hestia-france - Fax: +33 (0)3 20 64 55 02
>Site web: www.hestia-france.com - Email :
>thomas.spitz at hestia-france.com
><hestia at hestia-france.com>
>2014-01-02 15:14 GMT+01:00 Thomas Spitz
><thomas.spitz at hestia-france.com>:
>> Dear all,
>> Is there someone who tried to filter client connection using their IP
>> (using white and/or black list approach).
>> In test-server.c I have uncommented the following line
>>> libwebsockets_get_peer_addresses(context, wsi, (int)(long)in,
>>> client_name, sizeof(client_name), client_ip, sizeof(client_ip));
>>> fprintf(stderr, "Received network connect from %s (%s)\n",
>>> client_ip);
>> But all I get is :
>>>  gethostbyaddr: Connection refused
>>> Received network connect from  ()
>> It seems that this line
>>> host = gethostbyaddr((char *) &sin.sin_addr,
>>> sizeof(sin.sin_addr), AF_INET);
>> always returns NULL..
>> I haven't investigate much yet...
>> BR,
>> Thomas

More information about the Libwebsockets mailing list