2

According to these docs, IIS should allow IP address restrictions to be made based on the x-forwarded-for address seen by IIS if it is behind a proxy if enableProxyMode is set to true. I have edited the feature settings to enable proxy mode, and added an "Allow" entry for our proxy's IP address.

My issue is that I am still getting a deny with 403 forbidden when I attempt to connect. It is worth noting that I am configuring this on only one of the applications of a specific website. IIS version is 8.0.x. I tested after full IIS reset and verifying the applicationHost.config:

<location path="mysite.com/myapp">
  <system.webServer>
    <security>
      <ipSecurity allowUnlisted="false" enableProxyMode="true">
        <add ipAddress="my proxy ip..." allowed="true" />
      </ipSecurity>
    </security>
  </system.webServer>
</location>
Michael
  • 239
  • 2
  • 10
Roger Guess
  • 273
  • 1
  • 5
  • 11

1 Answers1

4

Both your IP and your x-forwarded-for IP(s) must be allowed entries for the request to be allowed.

With "Proxy Mode" on, the server first checks that the presented IP (the proxy's IP) is allowed. If so, it then gets the last x-forwarded-for IP and checks if that is allowed, and recurses up the list of x-forwarded-for IPs and checks each for being allowed. All must be allowed, or the request is blocked.

If the proxy IP is not allowed, then the request is blocked, and the x-forwarded-for doesn't get considered at all; you have to trust the source of the request to try and trust what is in the request.

It's explained in longer form (and better terminology) in this Wade Hilmo post on IIS.net.

Michael
  • 239
  • 2
  • 10
user6604437
  • 56
  • 1
  • 1
    verified... thank you. – Roger Guess Sep 09 '19 at 21:38
  • 1
    Huge thank you for this answer and link to the blog post. I've been working on this for two days and couldn't figure the need to add the gateway in - I figured this would allow all traffic.If only this was documented in the MS docs. – Simon Clough Dec 20 '19 at 12:47
  • Good lord, thank you again and again and again and AGAIN!!!!! I've sunk nearly 8 hours into trying to get this to work, NONE of the MS documentation mentions this!!! – Chris Butler Jun 21 '22 at 23:20