Using IIS7, how do I direct internal private network IP's addresses to my web site while I direct external IP addresses to a "site under maintenance" page?
So far on IIS7 I've found the section in IIS named "IPv4 Address and Domain Restrictions" and I can add the 3 internal ranges to that as an allow range. That seems easy. Now how do I direct all other traffic to a static page such as app_offline.html that I have created. (I'm not actually going to use app_offline.html because that will obviously take the app offline for internal addresses as well.)
You can use URL Rewrite (http://www.iis.net/download/URLRewrite) for that.
Then you can drop a web.config with the contents like:
<configuration>
...
<system.webServer>
<rewrite>
<rules>
<rule name="External IP" stopProcessing="true">
<match url="site-under-construction\.htm" negate="true" />
<conditions>
<add input="{REMOTE_ADDR}" pattern="192\.168\.\d+\.\d+" ignoreCase="false" negate="true" />
<add input="{REMOTE_ADDR}" pattern="::1" ignoreCase="false" negate="true" />
<add input="{REMOTE_ADDR}" pattern="127\.0\.0\.1" ignoreCase="false" negate="true" />
</conditions>
<action type="Redirect" url="/site-under-construction.htm" redirectType="Found" />
</rule>
</rules>
</rewrite>
</system.webServer>
...
</configuration>
What it basically does is to only apply this rule if the content is not already the "site-under-construction" page (to prevent infinite redirects), and only apply this if the IP-address is not coming from 192.168.XXX.XXX (and is not localhost).
Otherwise it will let them come through to whatever page they requested.
Note that this should not be use as a security mechanism since Remote Addr could be spoofed, but sounds like for your scenario it should be fine.
Related
I have been trying solutions for 6 hours to get this right but cannot find anything on either stack or microsoft's dev blogs. I am trying to force an HTTPS redirect from all external calls to my website while still going to the HTTP site when the website is accessed via an internal call, in this case by use of the IP address 192.168.8.68 in the URL bar of the browser. This worked perfectly until we installed an SSL certificate yesterday and implemented the following redirect rule:
<rule name="Redirect to HTTPS" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTPS}" pattern="OFF" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" />
</rule>
What I would like to know is, how would i bypass this if the incoming IP Address has the form 192.168.8.*? Adding specific iPs in regex causes the website to fail to load with a "Too many redirects error". I have already looked at the following list of questions in an attempt to solve this problem:
https://forums.iis.net/t/1166994.aspx?Rewrite+Redirection+for+only+external+users
IIS 7.5 redirect certain requests to other server using ip address
IIS | Block page specific url except for specific internal IP address
https://docs.secureauth.com/display/KBA/Use+URL+Rewrite+for+IP+Restrictions
Two instances of the same Website on IIS with different web.config (two different databases)
Single Website Directory / Multiple IIS Websites (Multiple web.config files)
You could use this rule to bypass the request from ip 192.168.8.*.
<rule name="Redirect to HTTPS" enabled="true" patternSyntax="ECMAScript" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTPS}" pattern="OFF" />
<add input="{REMOTE_ADDR}" pattern="192\.168\.8\.[0-9]+" negate="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
</rule>
I have an Episerver website running on Azure and, for security reasons, i would like to block access to any requests to the cms admin section using a white list of ip addresses.
I have done this in the past with websites running on windows server but i have never done this on an Azure hosted site. I have tried the approach i took on previous sites, adding a security section to the web.config for the location i am trying to restrict eg:
<location path="cms/admin">
<system.webServer>
</ipSecurity>
<add allowed="true" ipAddress="{my ip address}" subnetMask="255.255.255.255" />
...
</security>
</system.webServer>
</location>
this works locally but it is not working when i deploy the web.config to Azure. it is preventing any users, including those in the whitelist from accessing the location.
I have also looked into making the changes in portal.azure using aplication->networking->Access-restrictions but this looks like it is intended to control access to the whole app, which is not what i want.
Does anybody know if i am doing this incorrectly, specifically for an Azure website? Is there a setting in access-restrictions that i have missed?
thanks
Sam
You can use iis url rewrite rule to block request to restrict ip for the specific path:
<rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
<match url="cms/admin" />
<conditions>
<add input="{REMOTE_ADDR}" pattern="192.168.2.*" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
</rule>
If you want to allow some ip than you can add another condition with does not match the pattern.
For more detail you can refer below article:
Creating Rewrite Rules
Request Blocking - rule
This recently worked for me.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Block unauthorized access to admin" stopProcessing="true">
<match url=".*" />
<conditions>
<!-- Enter your staging site host name here as the pattern-->
<add input="{REQUEST_URI}" pattern="^/admin" />
<!-- Enter your white listed IP addresses -->
<add input="{REMOTE_ADDR}" pattern="127\.0\.0\.1" negate="true" />
<add input="{REMOTE_ADDR}" pattern="127\.0\.0\.2" negate="true" />
<!-- <add input="{REMOTE_ADDR}" pattern="123\.123\.123\.2" negate="true"/> -->
</conditions>
<action type="CustomResponse" statusCode="404" statusReason="Not Found" statusDescription="Site is not accessible" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
We solved this using url rewrite module, as others have suggested. We also realised that the ip address being passed in was not the true request origin IP address because of the cloudflare CDN. luckily the origin ip address is included in the rerouted request from Cloudflare so we were able to make this work using the url rewrite rule below. I have added this as the correct answer to the question because Jalpa's answer technically won't work in my specific context:
<rewrite>
<rules>
<rule name="restrict admin access by IP address" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_URI}" pattern="^/admin/login(.*)" />
<!-- localhost -->
<add input="{HTTP_True_Client_IP}" pattern="^127\.0\.0\.1$" negate="true"/>
<!-- my office -->
<add input="{HTTP_True_Client_IP}" pattern="^{your ip address here}$" negate="true"/>
</conditions>
<action type="CustomResponse" statusCode="404" statusReason="Not Found" statusDescription="The resource you are looking for has been removed, had its name changed, or is temporarily unavailable." />
</rule>
</rules>
</rewrite>
I'm using URL Rewrite on IIS 10.0 and have the following rule configured at the server level (applicationHost.config). I've tried it in my web.config to no avail as well.
<rewrite>
<globalRules>
<rule name="redirect">
<match url="/admin" />
<conditions>
<add input="{REMOTE_ADDR}" pattern="10.30.*.*" negate="true" />
</conditions>
<action type="Rewrite" url="/error" />
</rule>
</globalRules>
</rewrite>
Is there anything immediately obviously wrong here? I want any external traffic trying to hit /admin to get redirected to an error page, and only allow a single internal IP block to access it. Pulling my hair out over here.
You may need to install Application Request Routing, which is an extension to IIS and is available here: https://www.iis.net/downloads/microsoft/application-request-routing
There is a problem in match regexp. It shouldn't start with slash. Correct is ^admin (^ means start of url)
<rule name="redirect">
<match url="^admin" />
<conditions>
<add input="{REMOTE_ADDR}" pattern="10.30.*.*" negate="true" />
</conditions>
<action type="Rewrite" url="/error" />
</rule>
And i have couple of notes:
1) For IP validation better to have regexp like that: 10.30.[0-9]{1,3}.[0-9]{1,3} instead of 10.30.*.*
2) Depends on your load balancer and network infrastructure, but you might need to check {HTTP_X_Forwarded_For} header instead {REMOVE_ADDR}, because client's IP might be in different header
My hosting plan has a limited number of web applications for use, but unlimited subdomains. I plan to take advantage of these subdomains by using IIS rewriting, like the following:
<rule name="Home Rewrite" enabled="true">
<match url="^(.*)$" />
<conditions>
<add input="{HTTP_HOST}" pattern="^home\.mydomain\.com$" />
</conditions>
<action type="Rewrite" url="home/{R:1}" />
</rule>
This works fine for the most part, I can go to http://home.mydomain.com and it'll take me to what is essentially http://www.mydomain.com/home as expected.
I am publishing using Web Deploy, and I believe the host is IIS7.
The problem is that I want to take advantage of #Html.ActionLink, but when viewing the source, this resolves out to include the virtual directory.
So what I end up with is a site that works when I go to the original address:
http://www.mydomain.com/home/application
And a site that loads, but doesn't function correctly, at the redirected address:
http://home.mydomain.com/application
With generated URLs in the page source pointing relative to the original address:
/home/application/Account/Login
This applies to links to other pages/routes, bundles, basically anywhere that ~/ or #Html.ActionLink is used.
How do I get around this? I'm hoping to keep the use of #Html.ActionLink at least, I think I can live without the tildes.
I finally found a solution!
https://support.gearhost.com/entries/23689272-URL-Rewrite-Subdomain
My web.config rewrite rule required an extra line:
<rule name="Home Rewrite" enabled="true">
<match url="^(.*)$" />
<conditions>
<add input="{HTTP_HOST}" pattern="^home\.mydomain\.com$" />
<add input="{PATH_INFO}" pattern="^/home/" negate="true" /> <!-- This one! -->
</conditions>
<action type="Rewrite" url="home/{R:1}" />
</rule>
Now everyone is happy :)
You could write a custom HtmlHelper so instead of using ActionLink you can use MyActionLink and it can generate the url you need.
I'm simply adding to a set of rules on existing rewrite rules for our company website. We have a file that we need to restrict to only our internal IP addresses. The URL is http://oursite.com/internal/index.aspx?u=blahblah and need it restricted to IP ranges 10.1.X.X. I'm adding this and it's not doing anything. Even if I tried to capture all using .* for the pattern, it still ignores it. Is my syntax correct? Thanks.
<rewrite>
<rules>
...
<rule name="Restrict URL" enabled="true" stopProcessing="true">
<match url="internal/index\.aspx" />
<conditions>
<add input="{REMOTE_ADDR}" pattern="^10\.1\.\d+\.\d+$" negate="true" />
</conditions>
<action type="AbortRequest" />
</rule>
</rules>
</rewrite>
I resolved this myself. I ended up using HTTP_X_FORWARDED_FOR as the header, due to our hosting provider.