0

Having an issue with restricting IP security. I have made a web.config file and placed it in the folder I am trying to restrict see below:

<?xml version="1.0" encoding="UTF-8"?>
  <configuration>
   <system.webServer>
    <security>
      <ipSecurity allowUnlisted="false" enableProxyMode="true" denyAction="Forbidden">            
        <clear />           
        <add ipAddress="123.456.789" allowed="true" />
    </ipSecurity>
   </security>
 </system.webServer>
</configuration>

I have also adjusted the applicationHost.config to:

    <section name="ipSecurity" overrideModeDefault="Allow" />

However when browsing to a file in that folder I get a 403. I have restarted IIS and IP address is correct.

What am I missing?

TFFX
  • 190
  • 1
  • 9
  • 1
    What IP address you are seeing in the IIS logs ? Do you see 123.456.789 ? And isince proxymode is enabled what is there in x-forwaded header. – Ravi A. Aug 20 '16 at 09:59
  • Thanks Ravi Log files showed a different IP address (987.654.321) than I get using whatmyip (123.456.789). With the enabledProxyMode="true" it requires both IPs in the config to allow access. I assume this is to do with a proxy address IIS see before my static IP? – TFFX Aug 22 '16 at 08:21
  • Usually that shouldn't be the case.What kind of network you are in ? Usually office networks will have lot of switches across so you won't be able to predict your IP. Another situation is if your request routed through a proxy before reaching IIS. – Ravi A. Aug 22 '16 at 08:39
  • Yes it is an office network. I think as you said the request is been routed through a proxy first. Thanks for you help. – TFFX Aug 22 '16 at 11:10
  • Great! I will post it as answer for others. – Ravi A. Aug 22 '16 at 11:23

1 Answers1

1

Check the client IP (c-ip) in IIS logs and add that to ip - restrictions rules.

Ravi A.
  • 2,163
  • 2
  • 18
  • 26