Improved Elmah access control

src/Indexer/Program.cs

@@ -32,22 +32,31 @@ builder.Services.AddElmah<XmlFileErrorLog>(Options =>
 });
 
 var app = builder.Build();
-app.Map("/elmah", builder => // Add a middleware before Elmah that authorizes only the development environment
+List<string>? allowedIps = builder.Configuration.GetSection("EmbeddingsearchIndexer:Elmah:AllowedHosts")
+    .Get<List<string>>();
+
+app.Use(async (context, next) =>
 {
-    builder.Use(async (context, next) =>
+    if (context.Request.Path.StartsWithSegments("/elmah"))
     {
-        if (!app.Environment.IsDevelopment()) // TODO add configuration option to allow for elmah (i.e. opt-in)
+
+        var remoteIp = context.Connection.RemoteIpAddress?.ToString();
+        bool blockRequest = allowedIps is null
+            || remoteIp is null
+            || !allowedIps.Contains(remoteIp);
+        if (blockRequest)
         {
             context.Response.StatusCode = 403;
             await context.Response.WriteAsync("Forbidden");
             return;
         }
+    }
 
-        await next();
-    });
-
-    builder.UseElmah();
+    await next();
 });
+
+app.UseElmah();
+
 app.MapHealthChecks("/healthz");
 
 // Configure the HTTP request pipeline.

src/Indexer/appsettings.Docker.json

@@ -17,6 +17,13 @@
     "ApiKeys": ["b54ea868-496e-11f0-9cc7-f79f06b160e5", "bbdeedf0-496e-11f0-9744-97e28c221f67"]
   },
   "EmbeddingsearchIndexer": {
+    "Elmah": {
+      "AllowedHosts": [
+        "127.0.0.1",
+        "::1",
+        "172.17.0.1"
+      ]
+    },
     "Worker":
     [
       {

src/Indexer/appsettings.json

@@ -5,5 +5,13 @@
       "Microsoft.AspNetCore": "Warning"
     }
   },
+  "EmbeddingsearchIndexer": {
+    "Elmah": {
+      "AllowedHosts": [
+        "127.0.0.1",
+        "::1"
+      ]
+    }
+  },
   "AllowedHosts": "*"
 }