3

I want my web application to only be reachable from exact IP ranges.

If client IP is not on the range, which is saved in WEB.Config application must deny my access to page.

Rick Rainey
  • 11,096
  • 4
  • 30
  • 48
RASKOLNIKOV
  • 732
  • 2
  • 9
  • 20
  • 2
    There is already support to do this built into [IIS](https://support.microsoft.com/en-us/kb/324066). Any reason for re-inventing the wheel here? – Damien_The_Unbeliever May 19 '15 at 13:56
  • In AZURE web sites ,you can not do any changes in IIS.It is not server .it is more similar to shared hosting which is managed from panel. So I am not re-inventing the wheel. Just shared my solution. – RASKOLNIKOV May 21 '15 at 05:29

2 Answers2

2

Azure Web Apps (formerly Azure Websites) has supported this for a while now. It is a function of IIS and Azure Web Apps makes it available by adding the ipSecurity element to your web.config. You do not need to write any code to do this.

Here is the blog describing the feature for Azure Web Apps and a sample of how to add the configuration to your web.config.

http://azure.microsoft.com/blog/2013/12/09/ip-and-domain-restrictions-for-windows-azure-web-sites/

Rick Rainey
  • 11,096
  • 4
  • 30
  • 48
  • Please read all comments before sharing link from 2013. Probably at that time in AZURE web sites IIS was 7.5 .NOT 8. I tried same thing which you shared ,in IIS 8 it is not working. That is why i shared this solution maybe ,someone also searching for working solution. Also I have never told this is only solution and best solution.It is only solution. – RASKOLNIKOV May 21 '15 at 04:10
  • 1
    @RASKOLNIKOV, I'm aware of the comments and YES this does work. Not sure about your situation but I have personally used this feature multiple times and can say that it does work. Writing code to restrict client IP is not really a good idea because the client as already made it to your app. With IP restrictions in the config file server/IIS 8 takes care of this for you. – Rick Rainey May 21 '15 at 12:28
  • 1
    Tried access restricition based on ip address or domain name as described. Currently it does not work in Azure. Tried to restrict azure web apps so they can only access each other. – syr Sep 19 '17 at 12:42
0

So how we add these IP ranges to Web.config

<?xml version="1.0"?>
<configuration>
  <appSettings>
    <add key="IP" value="31.171.126.0/255,31.171.127.0/255"/>
  </appSettings>
  <system.web>
    <customErrors mode="Off"/>
    <compilation debug="true"/>
    <authentication mode="None"/>
  </system.web>
</configuration>

How code behind works:

protected void Page_Load(object sender, EventArgs e)
{
    var allowed = false;

    //Get IP ranges from Web.config
    // AS you see in web.config different IP ranges is seperated by comma

    var ip = ConfigurationManager.AppSettings["IP"];

    // Get Client Ip

    lblIp.Text = GetIpAddress().Split(':')[0];


    var clientIp = GetIpAddress();
    var list = ip.Split(',');


    //Do search inside IP ranges and see if client IP is inside IP ranges which is allowed to open web app. 
    foreach (var item in list)
    {
        var range = Convert.ToInt32(item.Split('/')[1].ToString(CultureInfo.InvariantCulture));

        for (var i=0; i <= range; i++)
        {

            var submaskip = item.Split('/')[0].Split('.')[0] + "." + item.Split('/')[0].Split('.')[1] + "." +
                            item.Split('/')[0].Split('.')[2] + "." + i;

            if (clientIp == submaskip)
            {
                allowed = true;
            }
        }

    }

    if (allowed == false)
    {
        Response.Redirect("Denied.aspx");
    }
}


// Get Client IP
protected string GetIpAddress()
{
    var context = System.Web.HttpContext.Current;
    var ipAddress = context.Request.ServerVariables["HTTP_X_FORWARDED_FOR"];

    if (string.IsNullOrEmpty(ipAddress)) return context.Request.ServerVariables["REMOTE_ADDR"];
    var addresses = ipAddress.Split(',');
    return addresses.Length != 0 ? addresses[0] : context.Request.ServerVariables["REMOTE_ADDR"];
}
John Saunders
  • 160,644
  • 26
  • 247
  • 397
RASKOLNIKOV
  • 732
  • 2
  • 9
  • 20
  • 2
    Probably better to move this out of the page logic and into one of the functions of the Global Application Class (global.asax) since the logic has nothing to do with a page. – mason May 19 '15 at 13:18
  • 2
    Probably even better to let IIS do this for you. – John Saunders May 19 '15 at 14:23
  • we are talking about azure web sites . You do not have chance to do anything in IIS settings. – RASKOLNIKOV May 19 '15 at 18:06
  • 1
    @RASKOLNIKOV I used to think so to - https://blogs.msdn.microsoft.com/benjaminperkins/2016/03/02/how-to-setup-ip-security-restrictions-for-an-azure-app-service/ – Cyrus Downey Jun 07 '18 at 17:15