.net web.config how to use <rewrite> <rules> with request headers as input?

Question

We have some logic in the web.config which requires ip whitelisting to access our websites.

We want to allow load testing without having to whitelist IP, as the load test will come from dynamic IPs. In the load test tool we can set a request header, such as

  loadtester: true

In the rewrite rules are "input" variables, which, from looking at examples, include:

1. REMOTE_ADDR
2. HTTP_X_Forwarded_For
3. HTTP_HOST
4. REQUEST_FILENAME
5. SERVER_PORT
6. URL
7. REQUEST_URI

But I cant find one for reqeuest headers. Are these documented anywhere?

Any idea how I would parse the headers and check the one i am looking for? We would like to allow traffic with a specific header, even if the IP is not whitelisted.

example extract from web.config:

    <rule name="Whitelist sites" stopProcessing="true">
      <match url=".*" />
      <conditions>
        <add input="{REMOTE_ADDR}" pattern="82\.7\.151\.45" negate="true"/>
        <add input="{HTTP_X_Forwarded_For}" pattern="82\.7\.151\.45" negate="true"/>
      </conditions>
      <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="The requested site is not accessible" />
    </rule>
  </rules>
</rewrite>
</system.webServer>

Update: I found this resource: https://www.w3schools.com/ASP/coll_servervariables.asp

In it there is a variable called "HTTP_<HeaderName>" I'll try!

Answer 1

You can access the headers by prefixing their name with HEADER_

Untested, but this should work: <add input="{HEADER_LOADTESTER}" pattern="true" negate="true"/>

(personally i would go with a random string for the header/value if your using this approach to protect a publicly accessible service)