3

I have two servers, one for my mvc application and the other one as a storage for large files like images etc, both running on Windows Server 2012 R2.

How can I prevent direct access to the files on storage server?

say, mvc is on IP1/ and storage is on IP2/.

Link to a file would be like: IP2/MediaFiles/2015/12/image0001.jpg.

I need only GET requests from IP1 have access to the link above. How?

UPDATE

server1 on IP1 needs to be free of file sharing since media server is on IP2 and we don't need to load files per request on server1's RAM. (server1 will crash soon!) therefore no HttpHandler can be used!

In this question I'm looking for a way to prevent unauthorized users from accessing files on server2 (on IP2) by entering direct address.

Nima Petrol
  • 95
  • 1
  • 7
  • 1
    Do you mean that IP1 is literally making the request, or that the image is being displayed on a webpage served from IP1? There's a huge difference between those two. In the first case, you can do something like teo suggests below. In the second case, there's absolutely nothing you can do. In order for any client to be able to display the image, they will need access to it. – Chris Pratt Dec 16 '15 at 14:20
  • 1
    @ChrisPratt the story about using MVC is completely tied up with your remarks. clients use their own `IP` not **IP1**. and as you mentioned, IP1 just serves pages and has nothing to do with Storage. I have updated my question, please have it reviewed. – Nima Petrol Dec 16 '15 at 15:14
  • I'm still not sure I'm following you. If you're creating an anchor link or an img tag in HTML that will point to your file server, then all users who can access the page must also have direct access to the files on your file server. You can't limit it to only viewable in the context of a webpage served by your MVC site. Each request is treated separately. – Chris Pratt Dec 16 '15 at 15:52
  • 1
    @ChrisPratt thanks for your comments, I've worked on the problem and found the solution – Nima Petrol Dec 17 '15 at 11:13

2 Answers2

2

Alright I found the solution!

Working on such problems needs some trick gathered from different sources based on your needs. I was looking for a way to prevent unauthorized users from accessing files on file server which is different from your main server. (the main server is authorizing users)

First of all, I blocked ALL incoming requests containing the Url pattern of my sensitive files using IIS rules. Then I wrote some lines of code for file server to handle Http requests using IHttpHandler interface in order to 1) check authorization rules and 2) send exact files to clients without converting them to byte array. And lastly, I used This Link to prettify links to file server! That's all folks ;)

Now:

physical link [blocked] : IP2/MediaFiles/2015/12/image0001.jpg

virtual link : IP2/Please/Find/A/File/By/DB/Id/1 ---> image0001.jpg

Community
  • 1
  • 1
Nima Petrol
  • 95
  • 1
  • 7
0

All what you wanted is in Web.Config file. You should place it in the root directory of your file storage server if you using IIS there.

In <system.webServer> node you should place this code:

<security>
    <ipSecurity allowUnlisted="false">    <!-- this line blocks everybody, except those listed below -->                
        <clear/> <!-- removes all upstream restrictions -->
        <add ipAddress="127.0.0.1" allowed="true"/>    <!-- allow requests from the local machine -->
        <add ipAddress="IP1" allowed="true"/>   <!-- allow the specific IP of IP1  -->                             
    </ipSecurity>
</security>

This rule will be accepted for all subfolders of root folder. If you need to block requests only for specific folder you should place your Web.Config there.

bad_coder
  • 11,289
  • 20
  • 44
  • 72
teo van kot
  • 12,350
  • 10
  • 38
  • 70