Skip to content

gRPC:PipeSecurity for Named Pipes #35691

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
Aug 4, 2025
Merged

gRPC:PipeSecurity for Named Pipes #35691

Changes from 9 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
907ed7c
gRPC:PipeSecurity for Named Pipes
wadepickett Jul 1, 2025
34d6fd7
Update metadata tags
wadepickett Jul 1, 2025
784f6ff
Corrected code fencing.
wadepickett Jul 1, 2025
dd35fc7
Fixed xref
wadepickett Jul 1, 2025
208c9d1
fix xref
wadepickett Jul 1, 2025
d02423e
xref fix again
wadepickett Jul 1, 2025
04fe218
Added info on CreateNamedPipeServerStream
wadepickett Aug 1, 2025
64d964b
Fixed typo Endpoint
wadepickett Aug 1, 2025
9565cdb
Removed xref link that does not exist
wadepickett Aug 1, 2025
5f128de
Update aspnetcore/grpc/interprocess-namedpipes.md
wadepickett Aug 2, 2025
62669f2
Update aspnetcore/grpc/interprocess-namedpipes.md
wadepickett Aug 4, 2025
5995eb2
Apply suggestions from JamesNK code review
wadepickett Aug 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 72 additions & 1 deletion aspnetcore/grpc/interprocess-namedpipes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,8 @@ author: jamesnk
description: Learn how to use gRPC for inter-process communication with Named pipes.
monikerRange: '>= aspnetcore-8.0'
ms.author: wpickett
ms.date: 01/18/2023
ai-usage: ai-assisted
ms.date: 08/01/2025
uid: grpc/interprocess-namedpipes
---
# Inter-process communication with gRPC and Named pipes
Expand Down Expand Up @@ -47,6 +48,76 @@ The preceding example:
* Calls `ListenNamedPipe` to listen to a named pipe with the specified name.
* Creates a named pipe endpoint that isn't configured to use HTTPS. For information about enabling HTTPS, see [Kestrel HTTPS endpoint configuration](xref:fundamentals/servers/kestrel/endpoints#listenoptionsusehttps).

### Configuring PipeSecurity for Named Pipes

To customize the security of the named pipe, for example, to control which users or groups can connect, use the [`NamedPipeTransportOptions`](xref:Microsoft.AspNetCore.Server.Kestrel.Transport.NamedPipes.NamedPipeTransportOptions) class. This allows a custom [`PipeSecurity`](xref:System.IO.Pipes.PipeSecurity) object to be specified.

Example:

```csharp
using Microsoft.AspNetCore.Server.Kestrel.Transport.NamedPipes;
using System.IO.Pipes;
using System.Security.AccessControl;

var builder = WebApplication.CreateBuilder(args);
builder.WebHost.ConfigureKestrel(serverOptions =>
{
serverOptions.ListenNamedPipe("MyPipeName", listenOptions =>
{
listenOptions.Protocols = HttpProtocols.Http2;

// Configure PipeSecurity
listenOptions.UseNamedPipes(options =>
{
var pipeSecurity = new PipeSecurity();
// Grant read/write access to the Users group
pipeSecurity.AddAccessRule(new PipeAccessRule(
"Users",
PipeAccessRights.ReadWrite,
AccessControlType.Allow));
// Add additional rules as needed

options.PipeSecurity = pipeSecurity;
});
});
});
```

The preceding example:

* Uses `UseNamedPipes` to access and configure <xref:Microsoft.AspNetCore.Server.Kestrel.Transport.NamedPipes.NamedPipeTransportOptions>.
* Sets the <xref:System.IO.Pipes.PipeSecurity> property to control which users or groups can connect to the named pipe.
* Grants read/write access to the `Users` group. Additional security rules can be added as needed for the scenario.

### Customize Kestrel named pipe endpoints
Kestrel's named pipe support enables advanced customization, allowing you to configure different security settings for each endpoint using the `CreateNamedPipeServerStream` option. This approach is ideal for scenarios where multiple named pipe endpoints require unique access controls. The ability to customize pipes per endpoint is available starting with .NET 9.

An example of where this is useful is a Kestrel app that requires two pipe endpoints with different access security. The `CreateNamedPipeServerStream` option can be used to create pipes with custom security settings, depending on the pipe name.

```csharp

var builder = WebApplication.CreateBuilder();

builder.WebHost.ConfigureKestrel(options =>
{
options.ListenNamedPipe("pipe1");
options.ListenNamedPipe("pipe2");
});

builder.WebHost.UseNamedPipes(options =>
{
options.CreateNamedPipeServerStream = (context) =>
{
var pipeSecurity = CreatePipeSecurity(context.NamedPipeEndpoint.PipeName);

return NamedPipeServerStreamAcl.Create(context.NamedPipeEndpoint.PipeName, PipeDirection.InOut,
NamedPipeServerStream.MaxAllowedServerInstances, PipeTransmissionMode.Byte,
context.PipeOptions, inBufferSize: 0, outBufferSize: 0, pipeSecurity);
};
});

```
Copy link
Member

@JamesNK JamesNK Aug 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove empty lines at beginning and end of code block


## Client configuration

`GrpcChannel` supports making gRPC calls over custom transports. When a channel is created, it can be configured with a <xref:System.Net.Http.SocketsHttpHandler> that has a custom <xref:System.Net.Http.SocketsHttpHandler.ConnectCallback>. The callback allows the client to make connections over custom transports and then send HTTP requests over that transport.
Expand Down