10

Is there a way in asp.net to limit the access to a web page only from localhost?

zirus
  • 313
  • 3
  • 13
  • What do you want to happen if a non-localhost request is made? – freefaller Aug 09 '12 at 08:37
  • 1
    Yes, I think we understand access is restricted... but exactly **what** should happen? **What** should the user see? Sould they be directed somewhere? (If you're replying to an individual, you need to put a `@` followed by their username, otherwise they will not receive a notification) – freefaller Aug 09 '12 at 08:45
  • 1
    @freefaller sure (about @), well one shoulnd't even try to access this page, so it can be some 4xx http response. I'm thinking of looking at the HttpRequest.IsLocal property for that matter. – zirus Aug 09 '12 at 08:53
  • 2
    Yes, `HttpRequest.IsLocal` would work for you. But you will want to redirect to a 404 based page (returning a 404 could start effecting the ability for the page to be viewed - although I'm not 100% sure on this one) – freefaller Aug 09 '12 at 08:59

3 Answers3

13
     if (!HttpContext.Current.Request.IsLocal)
     { 
       Response.Status = "403 Forbidden";
       Response.End();
     }
SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
8

If you want to do this for a "web page" then I'd use IsLocal, but if you want a subdirectory solution I'd use Url Rewrite 2. http://www.microsoft.com/web/gallery/install.aspx?appid=urlrewrite2. If you don't have this installed already, go and get it as it's very useful. I believe it will be standard on IIS8.

Then add this to your web.config under <system.webServer/>

<rewrite>
 <rules>
    <!-- if this rule matches stopProcessing any further rules -->
    <rule name="Block Remote Access to Admin" stopProcessing="true" patternSyntax="ECMAScript" enabled="true">
      <!-- specify secure folder matching trailing / or $ == end of string-->
      <match url="projects(/|$)" ignoreCase="true" />
      <conditions logicalGrouping="MatchAll">
        <!-- Allow local host -->
        <add input="{REMOTE_ADDR}" pattern="localhost" ignoreCase="true" negate="true" />
        <add input="{REMOTE_ADDR}" pattern="127.0.0.1" negate="true" />
        <add input="{REMOTE_ADDR}" pattern="::1" negate="true" />
      </conditions>
      <!-- by default, deny all requests. Options here are "AbortRequest" (drop connection), "Redirect" to a 403 page, "CustomResponse", etc.  -->
      <action type="CustomResponse" statusCode="403" statusDescription="Forbidden" statusReason="Access to this URL is restricted"/>
      <!-- or send the caller to an error page, home page etc
           <action type="Redirect" url="/public/forbidden.htm" redirectType="Temporary" />
      -->
    </rule>
  </rules>
</rewrite>
Keyur Potdar
  • 7,158
  • 6
  • 25
  • 40
cirrus
  • 5,624
  • 8
  • 44
  • 62
0

this could be a solution:

protected void Page_Load(object sender, EventArgs e)
{
    string localhost = Request.Url.Authority;
    if (localhost.IndexOf("localhost") != 0)
        Response.Redirect("defalut.aspx");
}
enricoariel
  • 483
  • 2
  • 10