1

I am using GoDaddy's Website Application Firewall (WAF) and Content Delivery Network (CDN) which is similar to sucuri with an IIS hosted website. However, I have run into some trouble ever since the website started using the WAF and CDN. I cannot seem to access some admin links (eg. domain.com/login) from any IP address. My current IP address was whitelisted on the godaddy panel. I also have an IIS IP restriction on that /login directory to allow only my IP address but that doesn't work anymore.

I tested things by changing my computer's host ip for the domain, so I can access the domain.com/login page from the server's original IP address, but not from the WAF or CDN IPs. However, I do not like this option.

Any ideas on how to make IIS play well with the WAF and CDN, or is this even an IIS issue or some type of DNS or other problem on Godaddy's end?

Bobi
  • 113
  • 3
  • Doesn't seem like it's IIS if avoiding the WAF+CDN works, unless there's something about your IIS config you haven't mentioned. Seems more like it's the WAF rules or CDN. – TristanK May 28 '19 at 22:37

1 Answers1

1

It is the IP Restriction in the IP Address and Domain Restrictions settings for your site that is causing the issue. When using the WAF it is the WAF's IP address that is hitting your web server, and not your IP.

See: https://www.godaddy.com/help/set-up-my-web-application-firewall-waf-and-cdn-26813

You may need to setup another form of access control beyond IP restrictions.

CloudFlare, for example, has Access Policies which can control access based on your real client IP address, or temp tokens sent by email. GoDaddy might have something similar?

WAF's are typically designed to prevent any sort of "dangerous" traffic on a web server, and can prevent the normal operation of admin web sites or control panels especially if admin users post HTML content via the admin portion of the web site.

For example, CloudFlare's WAF will prevent some CMS editing tools like Umbraco. It's necessary to use Page Rules to turn off the WAF for the Umbraco folder, or manually tweak the WAF rulesets. If WAF is removed, enabling another form of Access Control is advised.

seagulledge
  • 126
  • 4
  • I still am running into issues after removing the IP address and Domain Restriction for my IP address only being able to access the login page. – Bobi May 28 '19 at 22:56
  • Is your /login folder setup to require Windows Authentication? That's another thing that doesn't work when using a WAF. – seagulledge May 28 '19 at 23:14
  • is there a way for me to check that in IIS? – Bobi May 28 '19 at 23:19
  • For your login folder in the IIS settings, check the Authentication settung. Check to see which modes are set. Windows Auth is the one where the user gets a browser popup to enter their windows server login/password. – seagulledge May 29 '19 at 00:12
  • No, it's not set on that. A user has to login with their own credentials. It's an umbraco website. – Bobi May 29 '19 at 02:38
  • Are you able to log into Umbraco, but then many of the CMS tools, like editing content fail to save changes? That's the WAF blocking certain actions like posting HTML content. – seagulledge May 29 '19 at 06:13