We have a web service which is denys access to all except a single IP address. This is configured like so
<location path="ASMX/Service.asmx">
<system.webServer>
<security>
<ipSecurity allowUnlisted="false">
<clear />
<add ipAddress="[Our IP address]" allowed="true" />
</ipSecurity>
</security>
</system.webServer>
We recently installed a Web Application Firewall, so now all traffic now comes from a single source. The firewall however collects the origin IP and puts it into a request header called 'X-Origin-IP'.
Is it possible to use the web.config to read this new header and only allow where certain value exists, or is it better to drop into the code and perform the analysis there?
Related
Context
Umbraco CMS website runs on Azure as App Service
Scheduled Publishing
One of the Umbraco functionalities is to allow to publish content on a given time. The publish functionality makes a HTTP call to same web site (or a different server but same website in load balanced environment).
API call url:
http://sample-site-umbraco.azurewebsites.net/umbraco/RestServices/ScheduledPublish/Index
IP Security
Due to client requirements, access to the site is restricted to a given list of IP addresses. This task is being completed with IP Security restriction in web.config.
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="52428800" />
</requestFiltering>
<ipSecurity allowUnlisted="false" denyAction="NotFound">
<!-- "clear" removes all upstream restrictions -->
<clear />
<!-- permit the loopback address -->
<add ipAddress="127.0.0.1" allowed="true" />
...
...
...
<!-- domain Name for Scheduled Publishing -->
<add allowed="true" domainName="sample-site-umbraco.azurewebsites.net"/>
</ipSecurity>
</security>
Problem
When IP Security is turned on, the HTTP call to publish API is being blocked as not white listed one.
API call response Status Code and Content:
404 - NotFound
"The resource you are looking for has been removed, had its name changed, or is temporarily unavailable."
Problem Thread on our.umbraco.com
Fix attempts
Adding domainName to the list of allowed entries
<!-- domain Name for Scheduled Publishing -->
<add allowed="true" domainName="sample-site-umbraco.azurewebsites.net"/>
This solution doesn't work. Calls are still being blocked.
Question
How this can be fixed? Is there any functionality that can be override?
Ok, I've found the solution. I think it will work.
I've found this question on stackoverflow and it worked :)
Solution
Solution is to add ALL outbound IP addresses into System.WebServer > Security > ipSecurity > [List].
Outbound Ip Addresses are comma separated list of ips.
You need to add all of them to the WhiteList in web.config.
Drawback
I'm not sure if the list of Outbound Ips is static and will not change in the future...
I have a service written using servicestack v3.9. I am trying to return a large result set and am getting an 500 internal server error on my client. If I look at the details of the error I see the results are listed in the exception but are truncated after 65536 characters. I know this is a default limit imposed by .net. What I don't know is how to increase it for service stack.
My client isn't connecting to the service using a binding in the web config since it's using service stack. For web api calls this seems like where you would fix this issue be increasing maxReceivedMessageSize in the binding. I am guessing there is some way to increase this limit for service stack too??
ServiceStack doesn't impose any limits or quota's itself, so any limits your Services hit are IIS/ASP.NET's which can be increased the same as any other ASP.NET Web Application.
The Web.Config example configuration below shows how to increase the request limit to 1GB in both IIS6 and IIS7:
<configuration>
<system.web>
<httpRuntime maxRequestLength="1048576" />
</system.web>
</configuration>
For IIS7 and above, you also need to add the lines below:
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="1073741824" />
</requestFiltering>
</security>
</system.webServer>
I am currently IP restricting several asp.net websites using rewrite rules in my web.config that match our office IP range.
<system.webServer>
<rewrite>
<rules>
<rule name="Block IP" stopProcessing="true">
<match url="^403.html$" negate="true"/>
<conditions>
<add input="{HTTP_X_CLUSTER_CLIENT_IP}"
pattern="{MY OFFICE IP RANGE}"
negate="true"/>
</conditions>
<action type="Redirect" url="403.html" redirectType="SeeOther"/>
</rule>
</rules>
</rewrite>
The sites also require a username and password in order to view anything. But I'd like to have a second layer of protection like an ip block that prevents malicious activity. Since I often have people outside of our office that need to access the site, I can't always keep the IP block in place. What are some alternate ways of restricting access to asp.net websites that will work in a standard shared hosting environment? (something like VPN isn't an option since my webhost doesn't provide anything like that).
Edit: It has been brought to my attention that you can also configure the ip filtering using the native features of IIS rather than rewrite rules. Here is an example:
<security>
<ipSecurity allowUnlisted="true"> <!-- this line allows everybody, except those listed below -->
<clear/> <!-- removes all upstream restrictions -->
<add ipAddress="83.116.19.53"/> <!-- blocks the specific IP of 83.116.19.53 -->
<add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/> <!--blocks network 83.116.119.0 to 83.116.119.255-->
<add ipAddress="83.116.0.0" subnetMask="255.255.0.0"/> <!--blocks network 83.116.0.0 to 83.116.255.255-->
<add ipAddress="83.0.0.0" subnetMask="255.0.0.0"/> <!--blocks entire /8 network of 83.0.0.0 to 83.255.255.255-->
</ipSecurity>
</security>
Edit: To clarify what I'm asking for - I'm looking for OTHER ways to restrict access to a site. My ip filtering works fine. However it isn't ideal since my users sometimes access from ip addresses not on the list.
You can restrict/grant access to the IIS website or server in the IIS 7.5 MMC. In IIS-> Authorization Rules you can granullarly add/deny access to the server by user account or group(s).
I'm trying to create a web.config file for security on an intranet.
I want it to have the following rules:
If someone browses to the site on a specific IP range, they get
straight in.
If someone doesn't fall into that IP range, they are presented with
a log in box that authenticates against an LDAP query.
I have gone down the route so far of the following method for IP access and it works fine.
<security>
<ipSecurity allowUnlisted="false">
<add ipAddress="x.x.x.0" subnetMask="255.255.255.0" allowed="true"/>
</ipSecurity>
</security>
<modules runAllManagedModulesForAllRequests="true"/>
How could I then combine this with LDAP authentication (if that's even possible)? Or should I take a different approach? My only concern so far is that the ipsecurity method is too specific and you are either allowed in or you're not with no room for another form of authentication.
Any tips would be much appreciated!
Thanks in advance,
Tom
I want to access some things in local and session storage located on the same domain, but using a different protocol. The data is cached on HTTP and needs to be retrieved under HTTPS.
How can I configure ASP.Net to allow this without hard-coding the web site name in my web.config? This is what I have now
<add name="Access-Control-Allow-Origin" value="https://my-web-site" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
Do you also need Access-Control-All-Methods?
<add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE" />
I suggest you follow the methods suggest here:
http://brockallen.com/2012/06/28/cors-support-in-webapi-mvc-and-iis-with-thinktecture-identitymodel/