IIS | Block page specific url except for specific internal IP address
Question
I am trying to block a url page specific ( http://www.testdomain.com/login ) for all IP addresses EXCEPT for an internal admin IP address. I have no issue blocking the pattern login but I want to test locally to make sure that the internal admin IP is excluded from the blocking rule for /login url. See what I have so far...
<rewrite>
<rules>
<rule name="RequestBlockingRule1" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
<match url="*login*" negate="false" />
<conditions logicalGrouping="MatchAny" trackAllCaptures="true">
<add input="{HTTP_X_Forwarded_For}" pattern="92.102.130.65" />
</conditions>
<action type="None" />
</rule>
<rule name="RequestBlockingRule2" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions>
<add input="{URL}" pattern="*login*" />
</conditions>
<action type="CustomResponse" statusCode="404" statusReason="File or directory not found." statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." />
</rule>
What I also want is to duplicate same rule but for a query string of http://www.testdomain.com/home.aspx ?ctl=login
<rule name="RequestBlockingRule3" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
<match url="*ctl=login*" negate="false" />
<conditions logicalGrouping="MatchAny" trackAllCaptures="true">
<add input="{HTTP_X_Forwarded_For}" pattern="93.107.170.85" />
</conditions>
<action type="None" />
</rule>
<rule name="RequestBlockingRule4" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions>
<add input="{QUERY_STRING}" pattern="*ctl=login*" />
</conditions>
<action type="CustomResponse" statusCode="404" statusReason="File or directory not found." statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." />
</rule>
</rules>
</rewrite>
What I've done is tried to exclude internal IP for specific pattern and then followed with the actual blocking rule. Does anyone know either a) a better alternative or b) see what I may or may not be doing wrong (ideally I'd like to test these rules out locally before I use them on actual server using real IP address). Thanks
1 answers
solution1
5 ACCPTED 2017-06-21 19:59:00
I want to suggest to use a bit different way:
- Use rewrite maps for your whitelisted IPs list
- Use only two rules, and do not use
<action type="None" />
Config code is:
<rewrite>
<rules>
<rule name="Block login page" stopProcessing="true">
<match url="^login$" />
<conditions>
<add input="{Authorised Admin IPs:{REMOTE_ADDR}}" pattern="1" negate="true" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="Block query string" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{Authorised Admin IPs:{REMOTE_ADDR}}" pattern="1" negate="true" />
<add input="{QUERY_STRING}" pattern="ctl=login" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
</rules>
<rewriteMaps>
<!-- This is your list of white-listed IP's-->
<rewriteMap name="Authorised Admin IPs">
<add key="92.102.130.65" value="1" />
<add key="93.107.170.85" value="1" />
<!-- local IPs-->
<add key="127.0.0.1" value="1" />
<add key="localhost" value="1" />
<add key="::1" value="1" />
</rewriteMap>
</rewriteMaps>
</rewrite>
This rule is blocking all requests to this URLs for all users, which has non white-listed IPs
- http://www.testdomain.com/login
- Any url, which has
ctl=loginin query string
In my config above, i am using {REMOTE_ADDR} . But you might need to use {HTTP_X_Forwarded_For} . It depends on you network infrastructure (if you have proxies or load balancers)
You can test this rules locally by adding/removing your local IP form rewrite map
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.