12

I have an MVC.NET 4 web server that accepts HTTP POST request with a JSON formatted string as the request data. I would like to add a rule in the IIS level before the request hits the server, to block request by some regex on that JSON string. Is that possible?

Amirhossein Mehrvarzi
  • 18,024
  • 7
  • 45
  • 70
Orr
  • 4,740
  • 3
  • 28
  • 31
  • **to block request by some regex on that JSON string** Please explain what you mean by that... – Dave Alperovich Jul 07 '15 at 16:51
  • @DaveAlperovich The request has a JSON formatted string body. so if that string matches some regex abort the request, in the same way you can match the query url to a regex – Orr Jul 07 '15 at 22:33
  • Are you using OWIN? Or can you use HttpApplication.BeginRequest Event? Can you please elaborate why does it have to be on IIS level? – milanio Jul 08 '15 at 10:13
  • I'm not using OWIN, I want it to be in the IIS level to void more load of the the web server level needing to create another thread for each request. The reason I want to block some request is that they are not relevant to my app anymore, the come in high load and I cannot stop them from the clients side. Thanks for your time – Orr Jul 08 '15 at 12:14
  • Wouldn't it be easier if you block the ip instead? – Rosdi Kasim Jul 10 '15 at 14:10
  • I did some research, it can be done using IIS module. But only native module (written in C) can be deployed in IIS. The managed module needs to be deployed with your asp.net mvc apps I am afraid. – Rosdi Kasim Jul 10 '15 at 15:58

2 Answers2

6

Since you said:

I want it to be in the IIS level to void more load of the the web server level needing to create another thread for each request. The reason I want to block some request is that they are not relevant to my app anymore, the come in high load and I cannot stop them from the clients side

You have 2 choices:

  1. Request Filtering
  2. URL Rewriting

Please study the IIS 7.0 Request Filtering and URL Rewriting article carefully to know the most important things about them. If your selection would be first one with highest priority, The <denyQueryStringSequences> would be useful where it covers some filtering requirements. And for working with regex, you need to use the second one. the following sample rule can stop processing the request under the <rewrite>:

<rule name="Block Bad Request Strings" stopProcessing="true">
     <match url=".*" />
     <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
          <add input="{QUERY_STRING}" pattern="id=([^\"]*[^-]?>)|(?:[^\\w\\s]\\s*\\\/>)|(?:>\") />
     </conditions>
     <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission" />
</rule>

For more information see URL Rewrite Module Configuration Reference

Amirhossein Mehrvarzi
  • 18,024
  • 7
  • 45
  • 70
2

I think creating and adding a custom Http Module can solve your problem. An HTTP module is called on every request in response to the BeginRequest and EndRequest events.

Amirhossein Mehrvarzi
  • 18,024
  • 7
  • 45
  • 70
Vignesh Pandi
  • 349
  • 1
  • 4
  • 15
  • thanks - I'm actually looking for a way to block this on the IIS level, not the web server. Does the BeginRequest event do that? – Orr Jul 14 '15 at 10:22
  • When you say IIS level ..Did you mean implement blocking for just one specific website ? – Vignesh Pandi Jul 14 '15 at 13:15
  • http://www.iis.net/configreference/system.webserver/modules Or use http://www.iis.net/learn/extensions/url-rewrite-module/request-blocking-rule-template – Vignesh Pandi Jul 14 '15 at 13:30