Using web.config to limit access by IP address

Using web.config to limit access by IP address

Web.config ipSecurity
The web.config file can be used to restrict website access, by the client IP address. Web.config can be used to restrict access to a single page, a directory and all sub directories, or even the entire web site. You can block all IP addresses and only let a few trusted IP addresses in, or you could allow everyone and block specific IP addresses or subnets.

While some web.config sections require that the containing directory is set as an application, this isn't one of them. A simple web.config with a ipSecurity section may be placed in any directory, and the directory does NOT need to be set as an application. 

Purpose
IP address restrictions are used to restrict access based on the IP address of the client computer. IP address restrictions can be used to protect specific directories, or the entire web site. IP address restrictions can be used with two methods.
Allow all, but block specific IPs or networks
Deny all, but allow specific IPs or networks

How it's done
Example IP address restrictions. Comments are enclosed in <!-- --> and are not required.

Allow all, but block specific IPs or networks
<security>
   <ipSecurity allowUnlisted="true">    <!-- this line allows everybody, except those listed below -->
       <clear/>     <!-- removes all upstream restrictions -->                
       <add ipAddress="83.116.19.53"/>     <!-- blocks the specific IP of 83.116.19.53  -->
       <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>     <!--blocks network 83.116.119.0 to 83.116.119.255-->
       <add ipAddress="83.116.0.0" subnetMask="255.255.0.0"/>     <!--blocks network 83.116.0.0 to 83.116.255.255-->
       <add ipAddress="83.0.0.0" subnetMask="255.0.0.0"/>     <!--blocks entire /8 network of 83.0.0.0 to 83.255.255.255-->
   </ipSecurity>
</security>

Deny all, but allow specific IPs or networks
<security>
    <ipSecurity allowUnlisted="false">    <!-- this line blocks everybody, except those listed below -->
        <clear/> <!-- removes all upstream restrictions -->
        <add ipAddress="127.0.0.1" allowed="true"/>    <!-- allow requests from the local machine -->
        <add ipAddress="83.116.19.53" allowed="true"/>   <!-- allow the specific IP of 83.116.19.53  -->
        <add ipAddress="83.116.119.0" subnetMask="255.255.255.0" allowed="true"/>   <!--allow network 83.116.119.0 to 83.116.119.255-->
        <add ipAddress="83.116.0.0" subnetMask="255.255.0.0" allowed="true"/>   <!--allow network 83.116.0.0 to 83.116.255.255-->
        <add ipAddress="83.0.0.0" subnetMask="255.0.0.0" allowed="true"/>   <!--allow entire /8 network of 83.0.0.0 to 83.255.255.255-->
    </ipSecurity>
</security>

Using IP Address Restrictions

Use a text editor to create a file named web.config
Save the web.config file with the appropriate content
Place the web.config file in the directory that you wish to protect

Detailed web.config content

If there isn't an existing web.config in the directory, your new web.config should look something like this
<?xml version="1.0"?>
<configuration>
   <system.webServer>
      <security>
        <ipSecurity allowUnlisted="true">    <!-- this line blocks everybody, except those listed below -->
           <clear/> <!-- removes all upstream restrictions -->
           <add ipAddress="83.116.19.53"/>   <!-- block one IP  -->
           <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>   <!--block network 83.116.119.0 to 83.116.119.255-->
        </ipSecurity>
      </security>
      <modules runAllManagedModulesForAllRequests="true"/>
   </system.webServer>
</configuration>

If there is an existing web config, without a <system.webServer> section... Your new web.config should look like this
<?xml version="1.0"?>
<configuration>
   <system.web>
     .. existing text ..
     .. existing text ..
   </system.web>
   <system.webServer>
      <security>
        <ipSecurity allowUnlisted="true">    <!-- this line blocks everybody, except those listed below --> 
           <clear/> <!-- removes all upstream restrictions -->
           <add ipAddress="83.116.19.53"/>   <!-- block one IP  -->                
           <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>   <!--block network 83.116.119.0 to 83.116.119.255-->
        </ipSecurity>
      </security>
      <modules runAllManagedModulesForAllRequests="true"/>
   </system.webServer>
</configuration>

If your existing web.config already has a <system.webServer> section, just add the <security><ipSecurity> section
<?xml version="1.0"?>
<configuration>
   <system.web>
     .. existing text ..
     .. existing text ..
   </system.web>
   <system.webServer>
      <security>
        <ipSecurity allowUnlisted="true">    <!-- this line blocks everybody, except those listed below -->
           <clear/> <!-- removes all upstream restrictions -->
           <add ipAddress="83.116.19.53"/>   <!-- block one IP  -->
           <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>   <!--block network 83.116.119.0 to 83.116.119.255-->
        </ipSecurity>
      </security>
      <modules runAllManagedModulesForAllRequests="true"/>
   </system.webServer>
</configuration>

    • Related Articles

    • New Access Management User setup on Linux

      1) Login to your accounts.cartika.com account 2) Select your access management service (customers with managed infrastructure in both the US and CAD will have two) 3) Navigate to Login to SolidCP -> Click Login 4) Click on Users under your Hosted ...
    • New Access Management User setup on Windows 2008 / 2008r2

      In order to manage your GDPR compliant access to Windows 2008 You will need to create  1) Login to your accounts.cartika.com account 2) Select your access management service (customers with managed infrastructure in both the US and CAD will have two) ...
    • Migrating email between servers using IMAP

      Requirements Both of your servers must support the IMAP email protocol.  The password for the email account you are trying to migrate. An IMAP-capable local email client. Most email clients like Outlook, Apple Mail, and Thunderbird support IMAP mail ...
    • How to change domain to Dedicated IP (Hsphere)

      To change your domain to a dedicated IP address in Hsphere, do the following steps. 1. Login to hsphere control panel. 2. Go to "Quick Access" on the left hand side menu bar. 3. Under Domain Settings, you will see "Web Options" click on this. If you ...
    • How To Set Up a Firewall Using FirewallD on CentOS 7

      Introduction Firewalld is a complete firewall solution available by default on CentOS 7 servers. In this guide, we will cover how to set up a firewall for your server and show you the basics of managing the firewall with the firewall-cmd ...