IIS | Block page specific url except for specific internal IP address

ぐ巨炮叔叔 提交于 2020-05-11 03:23:30

问题


I am trying to block a url page specific (http://www.testdomain.com/login) for all IP addresses EXCEPT for an internal admin IP address. I have no issue blocking the pattern login but I want to test locally to make sure that the internal admin IP is excluded from the blocking rule for /login url. See what I have so far...

<rewrite>
            <rules>
                <rule name="RequestBlockingRule1" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*login*" negate="false" />
                    <conditions logicalGrouping="MatchAny" trackAllCaptures="true">
                        <add input="{HTTP_X_Forwarded_For}" pattern="92.102.130.65" />
                    </conditions>
                    <action type="None" />
                </rule>
                <rule name="RequestBlockingRule2" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*" />
                    <conditions>
                        <add input="{URL}" pattern="*login*" />
                    </conditions>
                    <action type="CustomResponse" statusCode="404" statusReason="File or directory not found." statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." />
                </rule>

What I also want is to duplicate same rule but for a query string of http://www.testdomain.com/home.aspx?ctl=login

                <rule name="RequestBlockingRule3" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*ctl=login*" negate="false" />
                    <conditions logicalGrouping="MatchAny" trackAllCaptures="true">
                        <add input="{HTTP_X_Forwarded_For}" pattern="93.107.170.85" />
                    </conditions>
                    <action type="None" />
                </rule>
                <rule name="RequestBlockingRule4" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*" />
                    <conditions>
                        <add input="{QUERY_STRING}" pattern="*ctl=login*" />
                    </conditions>
                    <action type="CustomResponse" statusCode="404" statusReason="File or directory not found." statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." />
                </rule>
            </rules>
        </rewrite>

What I've done is tried to exclude internal IP for specific pattern and then followed with the actual blocking rule. Does anyone know either a) a better alternative or b) see what I may or may not be doing wrong (ideally I'd like to test these rules out locally before I use them on actual server using real IP address). Thanks


回答1:


I want to suggest to use a bit different way:

  • Use rewrite maps for your whitelisted IPs list
  • Use only two rules, and do not use <action type="None" />

Config code is:

<rewrite>
   <rules>
         <rule name="Block login page" stopProcessing="true">
            <match url="^login$" />
            <conditions>
              <add input="{Authorised Admin IPs:{REMOTE_ADDR}}" pattern="1" negate="true" />
            </conditions>
            <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
          </rule>
          <rule name="Block query string" stopProcessing="true">
            <match url=".*" />
            <conditions>
                <add input="{Authorised Admin IPs:{REMOTE_ADDR}}" pattern="1" negate="true" />
                <add input="{QUERY_STRING}" pattern="ctl=login" />
            </conditions>
            <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
        </rule>
    </rules>
    <rewriteMaps> 
        <!-- This is your list of white-listed IP's-->
        <rewriteMap name="Authorised Admin IPs">
            <add key="92.102.130.65" value="1" />
            <add key="93.107.170.85" value="1" />
            <!-- local IPs-->
            <add key="127.0.0.1" value="1" />
            <add key="localhost" value="1" />
            <add key="::1" value="1" />
        </rewriteMap>         
    </rewriteMaps>
</rewrite>

This rule is blocking all requests to this URLs for all users, which has non white-listed IPs

  • http://www.testdomain.com/login
  • Any url, which has ctl=login in query string

In my config above, i am using {REMOTE_ADDR}. But you might need to use {HTTP_X_Forwarded_For}. It depends on you network infrastructure (if you have proxies or load balancers)

You can test this rules locally by adding/removing your local IP form rewrite map



来源:https://stackoverflow.com/questions/44671155/iis-block-page-specific-url-except-for-specific-internal-ip-address

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!