1

I would like to block (or allow) some ip from site in IIS for a specific URL. Actually I have that rule in my web.config for a rewrite url:

<rule name="FOO_RULE" stopProcessing="true">
   <match url="foo/(.*)" ignoreCase="false" />
   <action type="Rewrite" url="http://pippo.it/{R:0}" logRewrittenUrl="true" />
</rule>

This rule work properly for all IP caller and this is OK.

Now, I need the same rule with blocking some IP for a specific path. The problem is that path start with "foo/" (example "foo/rest/API/getName") and IIS will work for only FOO_RULE.

I've tryied to:

  1. Created a new rule for only that path ("foo/rest/API/getName") EXCEPTION_FOO_PATH in the same web.config of my site, with restrict for some IP like that:
<rules>
   <rule name="FOO_RULE" stopProcessing="true">
      <match url="foo/(.*)" ignoreCase="false" />
      <action type="Rewrite" url="http://pippo.it/{R:0}" logRewrittenUrl="true" />
      <conditions>
         <add input="{REQUEST_URI}" pattern="foo/rest/API/getName" negate="true" />
      </conditions>
   </rule>
   <rule name="EXCEPTION_FOO_PATH">
      <match url="foo/rest/API/getName" />
      <conditions>
         <add input="{REMOTE_ADDR}" pattern="111.222.333.444" negate="true" />
      </conditions>
      <action type="Rewrite" url="http://pippo.it/{R:0}" logRewrittenUrl="true" />
   </rule>
</rules>

and this not working (same if I comment the condition in FOO_RULE);

  1. Created an application inside main site of IIS with a rule for "foo/rest/API/getName" (generated a new web.config) and added restrict for some IP (from plugin IIS) but, still not working;

The concept is that not destroying the original FOO_RULE

Anyone have any idea? Thank you in advance!

Hidak
  • 13
  • 3

2 Answers2

1

You can reverse the two rules, delete the condition in the "FOO_RULE" and block request in "EXCEPTION_FOO_PATH" (look at logicalgrouping="MatchAny"):

<rules>
   <rule name="EXCEPTION_FOO_PATH" stopProcessing="true">
      <match url="foo/rest/API/getName" />
      <conditions logicalGrouping="MatchAny">
         <add input="{REMOTE_ADDR}" pattern="111.222.333.444" />
         <add input="{HTTP_X_Forwarded_For}" pattern="111.222.333.444" />
      </conditions>
      <action type="AbortRequest" />
   </rule>
   <rule name="FOO_RULE" stopProcessing="true">
      <match url="foo/(.*)" ignoreCase="false" />
      <action type="Rewrite" url="http://pippo.it/{R:0}" logRewrittenUrl="true" />
   </rule>
</rules>

So the first rule apply first:

  • if url is "foo/rest/API/getName" AND ip is "111.222.333.444" -> Abort request.
  • In all the other cases the second rule "FOO_RULE" apply and the url is rewrite in "http://pippo.it/{R:0}"
ValB
  • 101
  • 11
  • Take in mind that the rule "EXCEPTION_FOO_PATH" will block only ip write in pattern="111.222.333.444" so you have to be sure to connect from that IP to matche the rule. Let's try the edited answer. – ValB Nov 13 '20 at 21:23
  • The problem was the proxy and the input {HTTP_X_Forwarded_For} works fine. This resolved my problem. Thanks alot @ValB :) – Hidak Nov 18 '20 at 08:30
0

You can try similar to the following rules to achieve your requirement, in the Add Condition dialog, specify {REMOTE_ADDR} as the Condition input.

<rule name="block IP" stopProcessing="true">
    <match url="(.*)" />
        <conditions>
           <add input="{URL}" pattern=" " />
           <add input="{REMOTE_ADDR}" pattern="xxx.xxx.xxx.xxx" />
        </conditions>
        <action type="CustomResponse" statusCode="401" statusReason="permission required" statusDescription="Access is denied due to invalid credentials." />
</rule>
samwu
  • 3,857
  • 3
  • 11
  • 25