22

I've got a page in an ASP.Net app (its Mvc actually but not important) and I would like to only allow connections to this page from the local machine. I would love to do something like this in Web.config:

<location path="resources">
  <system.web>
    <authorization>
      <allow ips="local"/>
    </authorization>
  </system.web>
</location>

I know this is possible with a simple check in the page code behind (or controller) and its even possible just with IIS configuration but I would love a Web.config config as this would be the most elegant solution in my opinion. Anyone know if this is possible?

Keyur Potdar
  • 7,158
  • 6
  • 25
  • 40
gatapia
  • 3,574
  • 4
  • 40
  • 48
  • Are your users on a Windows Domain? If so you could restrict access to only Domain Users. It would look a lot like @lance's answer. – jrummell Feb 25 '10 at 21:52
  • Note: This is not possible, all solutions require writing code (no out of box solution available) – gatapia Feb 28 '10 at 23:51

5 Answers5

32

You can ask IIS to restrict access to a resource by IP address from within the Web.config:

<location path="resources">
  <system.webServer>
    <security>
      <ipSecurity allowUnlisted="false">
        <clear/>
        <add ipAddress="127.0.0.1"/>
      </ipSecurity>
    </security>
  </system.webServer>
</location>

More info

EDIT: As Mike pointed it out in the comment below, this requires the IP and Domain Restrictions module to be installed. Thanks Mike!

mybrave
  • 1,662
  • 3
  • 20
  • 37
Daniel
  • 1,034
  • 1
  • 10
  • 27
  • 9
    Thanks for the answer. To start with, this didn't work for me - the setting just seemed to be ignored by IIS. I finally worked out that on Windows 7, the IP and Domain Restrictions module is not installed by default. To get it to work I had to do to `Control Panel > Programs and Features > Turn Windows features on or off > Internet Information Services > World Wide Web Services > Security` and tick `IP Security`. – Mike Chamberlain Sep 21 '12 at 06:08
  • This seems to work great, but do you know how to change the output of the page? I'm getting a 200 status code, and the page reads: "Access from remote not allowed (2)." – Redtopia Sep 04 '15 at 03:52
  • @Redtopia: you can add a 403 error page. In the Web.config you would need: – Daniel Sep 07 '15 at 06:31
  • Thanks... Turns out I am using the BonCode adapter and it was set to prevent remote connections, and it was outputting the error. – Redtopia Sep 07 '15 at 14:02
  • Additional note, if you have a site that requires authentication for all pages and this localhost page doesn't require authentication, you'll need to add this inside the location element... – Ben Gripka Nov 03 '17 at 16:40
  • 1
    When using the code above it didn't allow the specified IP, I had to add an attribute to IP to allow it: – Etienne Feb 04 '19 at 00:18
4

This isn't what you asked for, but you could specify users of  the local machine. I can't imagine this is practical unless it's a small number of users you're wanting to authorize.

<location path="resources">
  <system.web>
    <authorization>
      <allow users="LOCALMACHINENAME\UsernameOfTrustedUser"/>
      <deny users="*"/>
    </authorization>
  </system.web>
</location>
lance
  • 16,092
  • 19
  • 77
  • 136
  • Hi Lance, This will not help as its the IIS user that will be running this page periodically and I am currently not 'Impersonation' so all users would be the IIS user. – gatapia Feb 25 '10 at 21:50
  • Did you try this suggestion? It should work. The use of "Impersonation" is not relevant to the authentication example here. – Jennifer Zouak Mar 31 '10 at 20:52
2
  1. Invent a non-DNS alias for the machine, i.e. "PrivateHostName".
  2. Set this value in the local hosts file to point to 127.0.0.1.
  3. Set a (IIS) host header for the web site such that it only responds to requests to address "PrivateHostName".
  4. For all local calls use the private host name.

Remote clients will not be able to resolve the host name.

You could secure it more using a dedicated ip address tied to a virtual network adapter which would not actually respond to external requests.

Jennifer Zouak
  • 1,338
  • 6
  • 12
  • 6
    Not secure solution. Hacker can add this alias to his local hosts file and get access to the web site. – meir Sep 06 '12 at 09:34
2

I found this to be helpful as well, if you want to specify a range of IP addresses. You can add the following code block to you web.config

<system.webServer>
    <security>
        <ipSecurity allowUnlisted="false">
            <clear/>
            <add ipAddress="95.110.115.0" subnetMask="255.255.255.0"/>  
            <!--blocks range 95.110.115.0 to 95.110.115.255-->    
            <add ipAddress="95.110.0.0" subnetMask="255.255.0.0"/>      
            <!--blocks range 95.110.0.0 to 95.110.255.255-->    
            <add ipAddress="95.0.0.0" subnetMask="255.0.0.0"/>          
            <!--blocks range 95.0.0.0 to 95.255.255.255-->  
        </ipSecurity>
    </security>
</system.webServer>
Robert Bolton
  • 667
  • 3
  • 8
  • 22
0

You could create your own configuration section that would be part of your web.config and then use the setting to control the behavior in global.asax Session_Start.

Payton Byrd
  • 956
  • 1
  • 12
  • 27