Reputation: 13
How to deny IP for a specific url from IIS when you have a rewrite url with path (.*)?
I would like to block (or allow) some ip from site in IIS for a specific URL. Actually I have that rule in my web.config for a rewrite url:
<rule name="FOO_RULE" stopProcessing="true">
<match url="foo/(.*)" ignoreCase="false" />
<action type="Rewrite" url="http://pippo.it/{R:0}" logRewrittenUrl="true" />
</rule>
This rule work properly for all IP caller and this is OK.
Now, I need the same rule with blocking some IP for a specific path. The problem is that path start with "foo/" (example "foo/rest/API/getName") and IIS will work for only FOO_RULE.
I've tryied to:
- Created a new rule for only that path ("foo/rest/API/getName") EXCEPTION_FOO_PATH in the same web.config of my site, with restrict for some IP like that:
<rules>
<rule name="FOO_RULE" stopProcessing="true">
<match url="foo/(.*)" ignoreCase="false" />
<action type="Rewrite" url="http://pippo.it/{R:0}" logRewrittenUrl="true" />
<conditions>
<add input="{REQUEST_URI}" pattern="foo/rest/API/getName" negate="true" />
</conditions>
</rule>
<rule name="EXCEPTION_FOO_PATH">
<match url="foo/rest/API/getName" />
<conditions>
<add input="{REMOTE_ADDR}" pattern="111.222.333.444" negate="true" />
</conditions>
<action type="Rewrite" url="http://pippo.it/{R:0}" logRewrittenUrl="true" />
</rule>
</rules>
and this not working (same if I comment the condition in FOO_RULE);
- Created an application inside main site of IIS with a rule for "foo/rest/API/getName" (generated a new web.config) and added restrict for some IP (from plugin IIS) but, still not working;
The concept is that not destroying the original FOO_RULE
Anyone have any idea? Thank you in advance!
Upvotes: 1
Views: 1808
Answers (2)
Reputation: 101
You can reverse the two rules, delete the condition in the "FOO_RULE" and block request in "EXCEPTION_FOO_PATH" (look at logicalgrouping="MatchAny"):
<rules>
<rule name="EXCEPTION_FOO_PATH" stopProcessing="true">
<match url="foo/rest/API/getName" />
<conditions logicalGrouping="MatchAny">
<add input="{REMOTE_ADDR}" pattern="111.222.333.444" />
<add input="{HTTP_X_Forwarded_For}" pattern="111.222.333.444" />
</conditions>
<action type="AbortRequest" />
</rule>
<rule name="FOO_RULE" stopProcessing="true">
<match url="foo/(.*)" ignoreCase="false" />
<action type="Rewrite" url="http://pippo.it/{R:0}" logRewrittenUrl="true" />
</rule>
</rules>
So the first rule apply first:
- if url is "foo/rest/API/getName" AND ip is "111.222.333.444" -> Abort request.
- In all the other cases the second rule "FOO_RULE" apply and the url is rewrite in "http://pippo.it/{R:0}"
Upvotes: 1
Reputation: 5185
You can try similar to the following rules to achieve your requirement, in the Add Condition dialog, specify {REMOTE_ADDR} as the Condition input.
<rule name="block IP" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{URL}" pattern=" " />
<add input="{REMOTE_ADDR}" pattern="xxx.xxx.xxx.xxx" />
</conditions>
<action type="CustomResponse" statusCode="401" statusReason="permission required" statusDescription="Access is denied due to invalid credentials." />
</rule>
Upvotes: 0
Related Questions
- How to IP whitelist for a single URL in IIS
- How to restrict a website to get access to a specific path through IIS?
- iis dynamic ip restriction for specific folder under website
- IIS | Block page specific url except for specific internal IP address
- How to deny and allow access certain path/directory/file based on IP Address without changing codes?
- web.config - how to allow specific IP regardsless of <deny users="*" />
- IIS IP restrictions - Deny and Allow Precedence
- IP restriction for a folder of a web application, in IIS7
- Hot to block access to page with defined URL in ASP.NET site on IIS except from one defined IP?
- IIS7 web.config rewrites to restrict access for IP range - can't get it to work?