Reputation: 7400
For an ASP.NET C# application, we will need to restrict access based on IP address. What is the best way to accomplish this?
Upvotes: 20
Views: 35686
Reputation: 300489
One way is using a HttpModule.
From the link (in case it ever goes away):
/// <summary>
/// HTTP module to restrict access by IP address
/// </summary>
public class SecurityHttpModule : IHttpModule
{
public SecurityHttpModule() { }
public void Init(HttpApplication context)
{
context.BeginRequest += new EventHandler(Application_BeginRequest);
}
private void Application_BeginRequest(object source, EventArgs e)
{
HttpContext context = ((HttpApplication)source).Context;
string ipAddress = context.Request.UserHostAddress;
if (!IsValidIpAddress(ipAddress))
{
context.Response.StatusCode = 403; // (Forbidden)
}
}
private bool IsValidIpAddress(string ipAddress)
{
return (ipAddress == "127.0.0.1");
}
public void Dispose() { /* clean up */ }
}
Once the HTTP Module class is built you need to register it in the httpModules section of your web.config file, like this:
<configuration>
<system.web>
<httpModules>
<add name="SecurityHttpModule" type="SecurityHttpModule"/>
</httpModules>
</system.web>
</configuration>
This adds the module to the ASP.NET request pipeline for your web application.
Upvotes: 19
Reputation: 11
In IIS 7 best way to restrict IP is by using the config file.
Full article:
http://boseca.blogspot.com/2010/12/programmatically-addremove-ip-security.html
Upvotes: 8
Reputation: 10827
Here is an article from Microsoft on how to do this.
Setting Folder Security by IP Address or Domain Name
Apache uses the Allow and Deny directives to determine the sites that can access a particular Web site or folder. However, Apache provides discretionary access control; you must either deny all sites and provide a specific list of sites or IP addresses that can access a folder or allow all sites and deny only those sites that you do not want to have access. For example, if you use the following directive, all client computers are denied access unless they are recognized as part of the domain.com domain:
Deny from all
Allow from .domain.com
IIS works the same way. All clients are specifically denied or granted access, except for those that are listed.
Define Access Control for Specific Folder or Site
If you want to limit access for the whole site, select the Web site from the list of different served sites in the left pane.
If you want to limit access only for a specific folder, click the folder you want to control.
NOTE: If you use domain name restrictions, the server has to perform a reverse DNS lookup for each request to check the host's registered domain name. Microsoft recommends that you use an IP address or network range whenever you can.
Upvotes: 9