Is it possible to configure a location in Web.config to only allow local connections

asp.net web-config

I've got a page in an ASP.Net app (its Mvc actually but not important) and I would like to only allow connections to this page from the local machine. I would love to do something like this in Web.config:

<location path="resources">
  <system.web>
    <authorization>
      <allow ips="local"/>
    </authorization>
  </system.web>
</location>

I know this is possible with a simple check in the page code behind (or controller) and its even possible just with IIS configuration but I would love a Web.config config as this would be the most elegant solution in my opinion. Anyone know if this is possible?


Solution 1:

You can ask IIS to restrict access to a resource by IP address from within the Web.config:

<location path="resources">
  <system.webServer>
    <security>
      <ipSecurity allowUnlisted="false">
        <clear/>
        <add ipAddress="127.0.0.1"/>
      </ipSecurity>
    </security>
  </system.webServer>
</location>

More info

EDIT: As Mike pointed it out in the comment below, this requires the IP and Domain Restrictions module to be installed. Thanks Mike!

Solution 2:

This isn't what you asked for, but you could specify users of  the local machine. I can't imagine this is practical unless it's a small number of users you're wanting to authorize.

<location path="resources">
  <system.web>
    <authorization>
      <allow users="LOCALMACHINENAME\UsernameOfTrustedUser"/>
      <deny users="*"/>
    </authorization>
  </system.web>
</location>

Solution 3:

  1. Invent a non-DNS alias for the machine, i.e. "PrivateHostName".
  2. Set this value in the local hosts file to point to 127.0.0.1.
  3. Set a (IIS) host header for the web site such that it only responds to requests to address "PrivateHostName".
  4. For all local calls use the private host name.

Remote clients will not be able to resolve the host name.

You could secure it more using a dedicated ip address tied to a virtual network adapter which would not actually respond to external requests.

Solution 4:

I found this to be helpful as well, if you want to specify a range of IP addresses. You can add the following code block to you web.config

<system.webServer>
    <security>
        <ipSecurity allowUnlisted="false">
            <clear/>
            <add ipAddress="95.110.115.0" subnetMask="255.255.255.0"/>  
            <!--blocks range 95.110.115.0 to 95.110.115.255-->    
            <add ipAddress="95.110.0.0" subnetMask="255.255.0.0"/>      
            <!--blocks range 95.110.0.0 to 95.110.255.255-->    
            <add ipAddress="95.0.0.0" subnetMask="255.0.0.0"/>          
            <!--blocks range 95.0.0.0 to 95.255.255.255-->  
        </ipSecurity>
    </security>
</system.webServer>

Related

How can I determine a timezone by the UTC offset?
Combining a UILongPressGestureRecognizer with a UIPanGestureRecognizer
Regex remove repeated characters from a string by javascript
String concatenation with Null
How to know if a specific user has rated a Android App?
How to align the bars of a histogram with the x axis?
Convert DateTime to a specified Format
Negating inside lexer- and parser rules
Determining running programs in Python
Why is Files.list() parallel stream performing so much slower than using Collection.parallelStream()?
C++: overriding public\private inheritance
Count the number of Occurrences of a Word in a String