IIS: whitelist only website with ipSecurity

Question

I'd like to make my website accessible only by a few IP addresses. I've added the <ipSecurity> tag but it seems to get ignored.

This is my current config:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <handlers>
            <remove name="PHP" />
            <add name="PHP" path="*.php" verb="*" modules="CgiModule" scriptProcessor="C:\PHP\5.4.0\php-cgi.exe" resourceType="File" requireAccess="Script" />
        </handlers>
        <defaultDocument>
            <files>
                <remove value="index.htm" />
                <remove value="index.html" />
                <remove value="index.asp" />
                <add value="index.html" />
                <add value="index.php" />
                <add value="index.asp" />
            </files>
        </defaultDocument>
        <httpErrors errorMode="Detailed" />
    </system.webServer>

    <location path="Default Web Site">
        <system.webServer>
            <security>
                <ipSecurity allowUnlisted="false">
                    <add ipAddress="79.1.2.3" /> 
                </ipSecurity>
            </security>
        </system.webServer>
    </location>    
</configuration>

But the site is accessible by everywhere.

If I add the <security> block inside <system.webServer> then no IP can see the site, not even the one listed, by getting 403.

What's wrong?

Answer 1

Try to add below code in your site web.config file:

<system.webServer>
<security>
    <ipSecurity allowUnlisted="true">
        <add ipAddress="ip" allowed="true" /> <!--allow-->
        <add ipAddress="ip" allowed="false" /> <!--deny-->
    </ipSecurity>
</security>

deny:

allow:

Regards, Jalpa