I have an Episerver website running on Azure and, for security reasons, i would like to block access to any requests to the cms admin section using a white list of ip addresses.
I have done this in the past with websites running on windows server but i have never done this on an Azure hosted site. I have tried the approach i took on previous sites, adding a security section to the web.config for the location i am trying to restrict eg:
<location path="cms/admin">
<system.webServer>
</ipSecurity>
<add allowed="true" ipAddress="{my ip address}" subnetMask="255.255.255.255" />
...
</security>
</system.webServer>
</location>
this works locally but it is not working when i deploy the web.config to Azure. it is preventing any users, including those in the whitelist from accessing the location.
I have also looked into making the changes in portal.azure using aplication->networking->Access-restrictions but this looks like it is intended to control access to the whole app, which is not what i want.
Does anybody know if i am doing this incorrectly, specifically for an Azure website? Is there a setting in access-restrictions that i have missed?
thanks
Sam
You can use iis url rewrite rule to block request to restrict ip for the specific path:
<rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
<match url="cms/admin" />
<conditions>
<add input="{REMOTE_ADDR}" pattern="192.168.2.*" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
</rule>
If you want to allow some ip than you can add another condition with does not match the pattern.
For more detail you can refer below article:
Creating Rewrite Rules
Request Blocking - rule
This recently worked for me.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Block unauthorized access to admin" stopProcessing="true">
<match url=".*" />
<conditions>
<!-- Enter your staging site host name here as the pattern-->
<add input="{REQUEST_URI}" pattern="^/admin" />
<!-- Enter your white listed IP addresses -->
<add input="{REMOTE_ADDR}" pattern="127\.0\.0\.1" negate="true" />
<add input="{REMOTE_ADDR}" pattern="127\.0\.0\.2" negate="true" />
<!-- <add input="{REMOTE_ADDR}" pattern="123\.123\.123\.2" negate="true"/> -->
</conditions>
<action type="CustomResponse" statusCode="404" statusReason="Not Found" statusDescription="Site is not accessible" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
We solved this using url rewrite module, as others have suggested. We also realised that the ip address being passed in was not the true request origin IP address because of the cloudflare CDN. luckily the origin ip address is included in the rerouted request from Cloudflare so we were able to make this work using the url rewrite rule below. I have added this as the correct answer to the question because Jalpa's answer technically won't work in my specific context:
<rewrite>
<rules>
<rule name="restrict admin access by IP address" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_URI}" pattern="^/admin/login(.*)" />
<!-- localhost -->
<add input="{HTTP_True_Client_IP}" pattern="^127\.0\.0\.1$" negate="true"/>
<!-- my office -->
<add input="{HTTP_True_Client_IP}" pattern="^{your ip address here}$" negate="true"/>
</conditions>
<action type="CustomResponse" statusCode="404" statusReason="Not Found" statusDescription="The resource you are looking for has been removed, had its name changed, or is temporarily unavailable." />
</rule>
</rules>
</rewrite>
Related
I have question about Azure redirection.
I have searched other topics but not quite my problem(s).
I have ASP.NET Core 2.2 project and Azure configured for that. Also i have domain for pointing to Azure.
I have added www.example.com format domain to azure and that works fine also with https.
Problem rises with example.com format
I wanted to redirect example.com format to www.example.com URL
I manage to get this work with this, but for little while.
I use this web.config for redirection
web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<rewrite>
<rules>
<rule name="CanonicalHostNameRule" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="^example.com$" />
</conditions>
<action type="Redirect" url="https://www.example.com/{R:0}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Something strange is Google Chrome & Opera redirect(s) to www domain but not Edge and Firefox.
Then when i clear cache(s) then it wont redirect.
Seems like Azure like rewrites some over or something.
Thanks for help!!
In addition to the web.config file changes, ensure the Azure Website instance contains the correct domain bindings within the Hostname bindings area.
<rule name="Redirect to www">
<match url=".*" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTP_HOST}" pattern="^example.com$" negate="true" />
</conditions>
<action type="Redirect" url="http://www.example.com/{R:0}" redirectType="Permanent"/>
</rule>
I have a really harsh time trying to get Symfony 3 app work on IIS as website subdirectory.
Structure on IIS :
Application is called pfc and its poiting to directory pfc/web, (IIS is hiding root, because folder name is same as app)
This is web.config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<defaultDocument>
<files>
<add value="app_dev.php" />
</files>
</defaultDocument>
<rewrite>
<rules>
<clear />
<rule name="StaticFiles" stopProcessing="true">
<match url="^(.*)$" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{REQUEST_FILENAME}" matchType="IsFile"/>
</conditions>
<action type="Rewrite" url="{R:0}" logRewrittenUrl="true" />
</rule>
<rule name="Symfony 3" enabled="true" stopProcessing="true">
<match url=".?" ignoreCase="false" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
<action type="Rewrite" url="./app_dev.php" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Entering dev.erp.loc/Test2/pfc ends up with:
like Symfony thinks of itself as a root application, which is not.
My best shoot was to use router.request_context.base_url, but it looks like it worked only in S2.
Now im stuck on something i can call half-way solution
By comment rewrite section in web.config i was correctly redirected to Identity Server, but after log in i get :
In order to fix it, i needed to uncomment rewrite section, to make routing work again, but it works only for browser, leaving it in this state will cause "no route found" in anther browser.
It would be nice to fix subdirectory routing in parameters.yml, which I fill anyway in deploy script, but if there is no other way I can edit web.config too.
Recently I needed to take care of similar issue and as side effect I solved this "problem". My URL without trailing slash is correct. The issue was that Chrome couldn't create canonical url form and made request to endpoint that Symfony don't need to interpret
ASP .Net website. Visual Studio 2013. Windows Server 2012 R2 + updates
I am attempting to redirect SOME pages as https i.e. login and payment pages AND pages under those directories. So far in IIS i have
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
<add input="{HTTP_HOST}" pattern="^.example\.com$" />
<add input="{HttpsRedirects:{REQUEST_URI}}" pattern="(.+)" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{C:1}" appendQueryString="false" redirectType="SeeOther" />
</rule>
</rules>
<rewriteMaps>
<rewriteMap name="HttpsRedirects">
<add key="/user/login/" value="/user/login/" />
<add key="/user/payment/" value="/user/payment/" />
</rewriteMap>
</rewriteMaps>
</rewrite>
</system.webServer>
I have changed pattern="^www.example.com$" to pattern="^.example.com$" as the site's main domain name is example.com (without www).
The problem i have is it doesnt seem to add https to all pages below these directories i.e. all pages under the login and payment directories?
IF I manually add https then it also applies it to image files (im seeing images not looking correct).
How could i amend the above code to exclude images (file extension or directories) and ensure when the user reaches these pages they are using https?
I am trying to configure the silex framework and just get an example application working. I am using an IIS server version 7.5 to do so. On the following website it gives me a sample web.config file I should be using. The file is as follows:
<?xml version="1.0"?>
<configuration>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="index.php" />
</files>
</defaultDocument>
<rewrite>
<rules>
<rule name="Silex Front Controller" stopProcessing="true">
<match url="^(.*)$" ignoreCase="false" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
</conditions>
<action type="Rewrite" url="index.php" appendQueryString="true" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
The problem is when trying to navigate to the website I just get the error:
The requested page cannot be accessed because the related
configuration data for the page is invalid.
So essentially IIS says the file is incorrect but I don't have much experience with these files so I don't know if there is a problem. Maybe the file is outdated and the newer doesn't work with newer versions of IIS. There is nothing in the server logs. Anyone come across this problem before?
Turns out I just needed to install the rewrite module for IIS at the following link:
http://www.iis.net/learn/extensions/url-rewrite-module/using-the-url-rewrite-module
Using IIS7, how do I direct internal private network IP's addresses to my web site while I direct external IP addresses to a "site under maintenance" page?
So far on IIS7 I've found the section in IIS named "IPv4 Address and Domain Restrictions" and I can add the 3 internal ranges to that as an allow range. That seems easy. Now how do I direct all other traffic to a static page such as app_offline.html that I have created. (I'm not actually going to use app_offline.html because that will obviously take the app offline for internal addresses as well.)
You can use URL Rewrite (http://www.iis.net/download/URLRewrite) for that.
Then you can drop a web.config with the contents like:
<configuration>
...
<system.webServer>
<rewrite>
<rules>
<rule name="External IP" stopProcessing="true">
<match url="site-under-construction\.htm" negate="true" />
<conditions>
<add input="{REMOTE_ADDR}" pattern="192\.168\.\d+\.\d+" ignoreCase="false" negate="true" />
<add input="{REMOTE_ADDR}" pattern="::1" ignoreCase="false" negate="true" />
<add input="{REMOTE_ADDR}" pattern="127\.0\.0\.1" ignoreCase="false" negate="true" />
</conditions>
<action type="Redirect" url="/site-under-construction.htm" redirectType="Found" />
</rule>
</rules>
</rewrite>
</system.webServer>
...
</configuration>
What it basically does is to only apply this rule if the content is not already the "site-under-construction" page (to prevent infinite redirects), and only apply this if the IP-address is not coming from 192.168.XXX.XXX (and is not localhost).
Otherwise it will let them come through to whatever page they requested.
Note that this should not be use as a security mechanism since Remote Addr could be spoofed, but sounds like for your scenario it should be fine.