block browsers bots and scrapers - with web config requestfiltering and user agent

clock February 13, 2012 12:07 by author Victor Ratajczyk |

User-agent filtering with web.config and requestFiltering
In this article I will show how to use web.config, requestFiltering and filteringRules to block browsers and robots, based on the user-agent string. Examples include blocking browsers such as Internet Explorer, Chrome, FireFox and Opera, and blocking search engine robots such as yandexbot, baiduspider, googlebot, yahoo, bing, etc.

Each time someone visits your site, their browser software identifies itself by sending a user-agent string. The user-agent string identifies the browser software and the browser version. The user-agent string sometimes also includes information on the operating system type, name, and version, as well as information about installed plug-ins. To help identify their crawlers, search engines (google, bing, yahoo, yandex, baidu, etc) also send user-agent strings when their software crawls your web site.

The requestFiltering section of a web.config file can be used to block specific browsers, bot, and spider user-agent's from visiting your web site. The web.config can be used to block a user-agent for an entire site, or on a directory by directory basis. User-agent blocking may be applied to all content, or to specific file types (.gif, .jpg, .php). When a blocked user-agent tries to access protected content, that user-agent will receive a 404 (file not found error).

Why it's done
There are many reasons why you may want to block certain user-agent strings. Some search engine spiders may be ignoring your robots.txt directives. Maybe an automated bot is regularly downloading all of your images. Maybe on inspection of your log files, you find that bot infected machines are regularly attacking your site, and they are using a specific user-agent. Maybe you are some sort of zealot who wants to block certain browsers or operating systems from your site.

How it's done

  • Use a text editor to create a file named web.config
  • Save the web.config file with the appropriate content
  • Place the web.config file in the directory where you wish to protect


Live examples


Other examples

  • Block the yandex search engine from php files on your site
    <?xml version="1.0"?>
    <configuration>
       <system.webServer>
          <security>
            <requestFiltering>
              <filteringRules>
                <!-- name the rule -->
                <filteringRule name="user agent deny" scanUrl="false" scanQueryString="false">
                  <scanHeaders>
                    <!-- apply rule to user-agent header -->
                    <add requestHeader="user-agent" />
                  </scanHeaders>
                  <appliesTo>
                    <clear />
                    <!-- only apply rule to php files -->
                    <add fileExtension=".php" />
                  </appliesTo>
                  <denyStrings>
                    <clear />
                    <!-- block the yandex bot -->
                    <add string="yandex" />
                  </denyStrings>
                </filteringRule>
              </filteringRules>
            </requestFiltering>
         </security>
       </system.webServer>
    </configuration> 
    
  • Block the yandex search engine from all files on your site
    <?xml version="1.0"?>
    <configuration>
       <system.webServer>
          <security>
            <requestFiltering>
              <filteringRules>
                <!-- name the rule -->
                <filteringRule name="user agent deny" scanUrl="false" scanQueryString="false">
                  <scanHeaders>
                    <!-- apply rule to user-agent header -->
                    <add requestHeader="user-agent" />
                  </scanHeaders>
                  <!-- apply rule to all files -->
                  <appliesTo />
                  <denyStrings>
                    <clear />
                    <!-- block the yandex bot -->
                    <add string="yandex" />
                  </denyStrings>
                </filteringRule>
              </filteringRules>
            </requestFiltering>
         </security>
       </system.webServer>
    </configuration>
    
  • Block a java based bot from accessing images
    <?xml version="1.0"?>
    <configuration>
       <system.webServer>
          <security>
            <requestFiltering>
              <filteringRules>
                <!-- name the rule -->
                <filteringRule name="user agent deny" scanUrl="false" scanQueryString="false">
                  <scanHeaders>
                    <!-- apply rule to user-agent header -->
                    <add requestHeader="user-agent" />
                  </scanHeaders>
                  <appliesTo>
                    <clear />
                    <!-- only apply rule to image files -->
                    <add fileExtension=".gif" />
                    <add fileExtension=".jpg" />
                    <add fileExtension=".png" />
                  </appliesTo>
                  <denyStrings>
                    <clear />
                    <!-- block the fake java img bot -->
                    <add string="java/1.4" />
                  </denyStrings>
                </filteringRule>
              </filteringRules>
            </requestFiltering>
         </security>
       </system.webServer>
    </configuration>
    
  • Block multiple search engine spiders, from all files, with a single rule
    <?xml version="1.0"?>
    <configuration>
       <system.webServer>
          <security>
            <requestFiltering>
              <filteringRules>
                <!-- name the rule -->
                <filteringRule name="user agent deny" scanUrl="false" scanQueryString="false">
                  <scanHeaders>
                    <!-- apply rule to user-agent header -->
                    <add requestHeader="user-agent" />
                  </scanHeaders>
                  <!-- apply rule to all files -->
                  <appliesTo />
                  <denyStrings>
                    <clear />
                    <!-- block the following bots -->
                    <add string="yandex" />
                    <add string="baiduspider" />
                    <add string="sogou" />
                  </denyStrings>
                </filteringRule>
              </filteringRules>
            </requestFiltering>
         </security>
       </system.webServer>
    </configuration>
    

 

Notes

  • Requires; Windows 2008 Server, IIS 7 (w2k8) or IIS 7.5 (w2k8 r2)
  • Requires: IIS sub feature: Request filtering (installed by default with IIS)
  • Requires: Request filtering delegation set to: Read/Write
  • The requestHeader name is not case sensitive <add requestHeader="not-case-sensitive" />
  • The denyStrings string text is not case sensitive <add string="not-case-sensitive" />
  • If the bot or browser doesn't send a user-agent string, none of this will help you.

 

 

 

 



web.config defaultDocument - use web.config to set a default page for a web site

clock February 11, 2012 23:11 by author Victor Ratajczyk |

web.config defaultDocument
The defaultDocument section of the web.config file can be used to set a custom default page (document) for your web site. You can also have a custom list of default documents for your website. If the first file listed does not exist, the web server will check the current directory for each file in the list.

The web.config can be used to change the default document (page) for an entire site, or on a directory by directory basis. The default page may be a .aspx, .asp, .htm, .html, .txt, or any other file type handled by the web server.

Why it's done
People typically type "foo.com" into their browsers, rather than "foo.com/index.aspx". When someone visits your website without specifying a page, the web server returns the default document. This also applies if someone visits a subdirectory on your site, such as foo.com/dir1/ or foo.com/dir2, but doesn't specify a page.

If there isn't a default document in the directory, the client will receive a "file not found" or "directory browsing denied" error. Web servers are typically configured to search for a list of default files. Depending on your configuration, the default document list in IIS 7.5 may include the files listed below.

  • default.aspx
  • default.asp
  • default.htm
  • index.asp
  • index.aspx
  • index.htm
  • index.html
  • index.php

Compatibility
The default document of web.config is compatible with IIS 7 (w2k8) and IIS 7.5 (w2k8 r2).

Web.config files are deeply integrated with IIS 7.x. While some web.config sections sometimes require that the containing directory is set as an application, this isn't one of them. A simple web.config with a defaultDocument section may be placed in any directory, and the directory does NOT need to be set as an application.

Example
Example default document list. Comments are enclosed in <!-- --> and are not required.

<!-- this line enables default documents for a directory -->
<defaultDocument enabled="true">
   <files>
       <!-- clear, removes the existing default document list -->
       <clear/>
       <!-- set foo.htm as the default document  -->                 
       <add value="foo.htm"/>
       <!-- set foo.php as the 2nd default document  -->
       <add value="foo.php"/>
       <!-- set foo.aspx as the 3rd default document  -->             
       <add value="foo.aspx/>
   </files>
</defaultDocument>

 

 

Using defaultDocument to change the default page

  • Use a text editor to create a file named web.config
  • Save the web.config file with the appropriate content
  • Place the web.config file in the directory where you wish to change the default page


Detailed web.config examples

If there isn't an existing web.config in the directory, your new web.config should look something like this

<?xml version="1.0"?>
<configuration>
  <system.webServer>
    <!-- this line enables default documents for a directory -->
    <defaultDocument enabled="true">
      <files>
       <!-- clear, removes the existing default document list -->
       <clear/>
       <!-- set foo.htm as the default document  -->                 
       <add value="foo.htm"/>
       <!-- set foo.php as the 2nd default document  -->
       <add value="foo.php"/>
       <!-- set foo.aspx as the 3rd default document  -->             
       <add value="foo.aspx/>
      </files>
    </defaultDocument>
   <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>
</configuration>



If there is an existing web config, without a <system.webServer> section... Your new web.config should look like this

<?xml version="1.0"?>
<configuration>
   <system.web>
     <!-- .. existing text .. -->
     <!-- .. existing text .. -->
   </system.web>
   <system.webServer>
    <!-- this line enables default documents for a directory -->
    <defaultDocument enabled="true">
      <files>
       <!-- clear, removes the existing default document list -->
       <clear/>
       <!-- set foo.htm as the default document  -->                 
       <add value="foo.htm"/>
       <!-- set foo.php as the 2nd default document  -->
       <add value="foo.php"/>
       <!-- set foo.aspx as the 3rd default document  -->             
       <add value="foo.aspx/>
      </files>
    </defaultDocument>
   <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>
</configuration>



If your existing web.config already has a <system.webServer> section, just add the <defaultDocument> section

<?xml version="1.0"?>
<configuration>
   <system.web>
     <!-- .. existing text .. -->
     <!-- .. existing text .. -->
   </system.web>
   <system.webServer>
   <!-- .. existing text .. -->
<!-- this line enables default documents for a directory -->
    <defaultDocument enabled="true">
      <files>
       <!-- clear, removes the existing default document list -->
       <clear/>
       <!-- set foo.htm as the default document  -->                 
       <add value="foo.htm"/>
       <!-- set foo.php as the 2nd default document  -->
       <add value="foo.php"/>
       <!-- set foo.aspx as the 3rd default document  -->             
       <add value="foo.aspx/>
      </files>
    </defaultDocument>
<!-- .. existing text .. -->
  </system.webServer>
</configuration>






 

 



Web.config httpRedirect - Redirecting individual pages with 301, 302, and 307 status codes

clock February 7, 2012 23:23 by author Victor Ratajczyk |

This article focuses on using web.config files to redirect browsers via a 301, 302, or 307 status code. This article details steps required to redirect individual pages to another page or site. This article is the third in a series. Part one explains what http redirect status codes are, and provides several example web.config files. Part two shows examples of web.config files in action.

Purpose
HTTP response redirect status codes are used to redirect web requests for a web site, directory, or page to another location. The redirect could target another page or directory on the same domain, or a page or directory on another domain. Response redirect status codes have many uses, but they are most often used after redesigning a web site, changing domain names, or merging two or more web sites.

Compatibility
The httpRedirect section of web.config is compatible with IIS 7 (w2k8) and IIS 7.5 (w2k8 r2).

Web.config files are deeply integrated with IIS 7.x. The httpRedirect directives listed in this article will apply to all files and directories (php, jpg, png, htm, etc), not just asp.net files.

While some web.config sections sometimes require that the containing directory is set as an application, this isn't one of them. A simple web.config with a httpRedirect section may be placed in any directory, and the directory does NOT need to be set as an application.

Prerequisites

  • Windows 2008 Server, IIS 7 (w2k8) or IIS 7.5 (w2k8 r2)
  • IIS sub feature: HTTP Redirection (not installed by default with IIS)
  • HTTP Redirection delegation set to: Read/Write

I already know
Yes, I know that we can redirect individual pages by placing the following into the head of the page
 <META HTTP-EQUIV=Refresh CONTENT="0; URL=http://www.foo.com/page.htm" />, but that's not what we are talking about. Here, we are using web.config to do the same thing. One advantage of using web.config for the redirect, is control over the status code. With web.config, we can set the status code to 301, 302, or 307.


Example
In the following example, the "pages" directory contains page1.htm, page2.htm, page3.htm, and page4.htm. The web.config shown below will do the following

 

<?xml version="1.0"?>
<configuration>
    <location path="page1.htm">
        <system.webServer>
            <httpRedirect enabled="true" destination="http://www.victor-ratajczyk.com/examples/webconfig/redir/newpages/newpage.htm" httpResponseStatus="Permanent" />
        </system.webServer>
    </location>
    <location path="page2.htm">
        <system.webServer>
            <httpRedirect enabled="true" destination="http://www.google.com" httpResponseStatus="Permanent" />
        </system.webServer>
    </location>
    <location path="page3.htm">
        <system.webServer>
            <httpRedirect enabled="true" destination="http://news.yahoo.com/science/" httpResponseStatus="Permanent" />
        </system.webServer>
    </location>
    <location path="page5.htm">
        <system.webServer>
            <httpRedirect enabled="true" destination="http://www.google.com" httpResponseStatus="Permanent" />
        </system.webServer>
    </location>
</configuration>
 
 

 



Web.config httpRedirect - Redirecting entire sites and directories with 301, 302, and 307 status codes - Part two

clock February 7, 2012 20:28 by author Victor Ratajczyk |

This article focuses on using web.config files to redirect browsers via a 301, 302, or 307 status code. This article details steps required to wildcard redirect an entire site or directory. The redirect acts as a wildcard redirect. If the browser visits /old/file55.txt, they would be redirected to /new/file55.txt. You are currently on part two of this article. Part one explains what http redirect status codes are, and provides several example web.config files. A third article will focus on redirecting individual pages.

Purpose
HTTP response redirect status codes are used to redirect web requests for a web site, directory, or page to another location. The redirect could target another page or directory on the same domain, or a page or directory on another domain. Response redirect status codes have many uses, but they are most often used after redesigning a web site, changing domain names, or merging two or more web sites.

Example one - same site, new directory
So your site is up and running for a while before you notice that there is a typo in one of your directories. You have site.tld/baksets, but it should be site.tld/baskets. The "baksets" directory is well indexed by google, and you know that many people have bookmarked pages in the "baksets" directory.

What to do? You want to retain your current search engine rankings, and you want your customer bookmarks to work too.

  • First you would prepare a web.config file similar to the one shown below.
  • Next you would rename your existing "baksets" directory to baskets.
  • Then you would recreate the "baksets" directory and place the web.config file in it.
  • Finally, you would test a few links to make sure everything works.

I have placed the web.config show below in the /examples/webconfig/redir/baksets/ directory. This will redirect all requests, for any file, to the same file in the target directory or remote site. Let's see it in action.

<?xml version="1.0"?>
 <configuration>
   <system.webServer>
      <!--redirect requests from dir1 to dir2-->
      <!-- 301 permanent redirect -->
      <httpRedirect enabled="true" destination="http://www.victor-ratajczyk.com/examples/webconfig/redir/baskets" httpResponseStatus="Permanent" />
   </system.webServer>
 </configuration>
 
 

 


Example two - entire directory, redirects to a single file
So now you have completely redesigned your site. The new layout is completely different. On top of directories having new names, all the file names are different too.

What to do? Without a lot of work, there is no way to do matching page-for-page redirects. But at least we can make sure that bookmark users and search engines are redirected to the proper section of our redesigned site.

I have placed the web.config show below in the /examples/webconfig/redir/basketgifts/ directory. This will redirect all requests, for any file, to a single file in the target directory or remote site. Let's see it in action.

 

<?xml version="1.0"?>
 <configuration>
   <system.webServer>      
      <!-- 301 permanent redirect -->
      <httpRedirect enabled="true" destination="http://www.victor-ratajczyk.com/examples/webconfig/redir/giftbaskets/index.htm" exactDestination="true" httpResponseStatus="Permanent" />
   </system.webServer>
 </configuration>
 
 







Web.config httpRedirect - Redirecting entire sites and directories with 301, 302, and 307 status codes - Part one

clock February 7, 2012 18:23 by author Victor Ratajczyk |

This article focuses on using web.config files to redirect browsers via a 301, 302, or 307 status code. This article details steps required to redirect an entire site or directory. You are currently on part one of this article. Part two shows the examples on this page in action. A third article will focus on redirecting individual pages.

Purpose
HTTP response redirect status codes are used to redirect web requests for a web site, directory, or page to another location. The redirect could target another page or directory on the same domain, or a page or directory on another domain. Response redirect status codes have many uses, but they are most often used after redesigning a web site, changing domain names, or merging two or more web sites.

Compatibility
The httpRedirect section of web.config is compatible with IIS 7 (w2k8) and IIS 7.5 (w2k8 r2).

Web.config files are deeply integrated with IIS 7.x. The httpRedirect directives listed in this article will apply to all files and directories (php, jpg, png, htm, etc), not just asp.net files.

While some web.config sections sometimes require that the containing directory is set as an application, this isn't one of them. A simple web.config with a httpRedirect section may be placed in any directory, and the directory does NOT need to be set as an application.

Prerequisites

  • Windows 2008 Server, IIS 7 (w2k8) or IIS 7.5 (w2k8 r2)
  • IIS sub feature: HTTP Redirection (not installed by default with IIS)
  • HTTP Redirection delegation set to: Read/Write

Redirect status codes
301 permanent redirect - Moved permanently
The requested resource has been assigned a new permanent URI and any future references to this resource should use the new URL.

  • Permanently redirect a site or subdirectory to another domain.
  • <httpRedirect enabled="true" destination="http://foonew.com" httpResponseStatus="Permanent" />
  • Permanently redirect a site or subdirectory to a subdirectory on the same domain.
  • <httpRedirect enabled="true" destination="http://foo.com/newdir" httpResponseStatus="Permanent" />
  • Permanently redirect a site or subdirectory to a specific page.
  • <httpRedirect enabled="true" destination="http://foo.com/foo.htm" exactDestination="true" httpResponseStatus="Permanent" />

302 found redirect
The requested resource resides temporarily under a different URL. Since the redirection might be altered on occasion, the client should continue to use the old URL for future requests

  • Redirect a site or subdirectory to a specific page.
  • <httpRedirect enabled="true" destination="http://foo.com/overloaded.txt" exactDestination="true" httpResponseStatus="Found" />

307 temporary redirect - Temporary redirect
The requested resource resides temporarily under a different URL. Since the redirection might be altered on occasion, the client should continue to use the old URL for future requests

  • Temporarily redirect a site or subdirectory to a specific page.
  • <httpRedirect enabled="true" destination="http://foo.com/overloaded.txt" exactDestination="true" httpResponseStatus="Temporary" />


Using HTTP redirects

  • Use a text editor to create a file named web.config
  • Save the web.config file with the appropriate content
  • Place the web.config file in the directory that you wish to redirect.
  • If you wish to redirect the entire site, place the web.config in the web root.
  • If you wish to redirect foo.com/google to google.com, place the web.config in the /google directory of the web root


Example web.config redirects

Example IP address restrictions. Comments are enclosed in <!-- --> and are not required

<?xml version="1.0"?>
 <configuration>
  <system.webServer>
   <!-- 301 permanent redirect -->
   <httpRedirect enabled="true" destination="http://foo.com" httpResponseStatus="Permanent" />
   <!-- 302 found redirect -->
   <httpRedirect enabled="true" destination="http://foo.com" httpResponseStatus="Found" />
   <!-- 302 found redirect, to a specific page or directory -->
   <httpRedirect enabled="true" destination="http://www.foo.com/foo.htm" exactDestination="true" />
   <!-- 307 temporary redirect -->
   <httpRedirect enabled="true" destination="http://foo.com" httpResponseStatus="Temporary" />
  </system.webServer>
 </configuration>
 
    



Detailed web.config content

Let's redirect http://foo.com/olddir/ to somewhere else.

  • If there isn't an existing web.config in the "olddir" directory, your new web.config should look something like this
    <?xml version="1.0"?>
      <configuration>
        <system.webServer>
          <httpRedirect enabled="true" destination="http://foo.com/newdir" httpResponseStatus="Permanent" />
        </system.webServer>
      </configuration>
  • If there is an existing web config, without a <system.webServer> section... Your new web.config should look like this
    <?xml version="1.0"?>
    <configuration>
    <system.web>
    ..existing text..
    ..existing text..
    </system.web>
    <system.webServer> <httpRedirect enabled="true" destination="http://foo.com/newdir" httpResponseStatus="Permanent" /> </system.webServer> </configuration>
  • If your existing web.config already has a <system.webServer> section, just add the <httpRedirect> section
    <configuration>
    <system.web>
    .. existing text ..
    .. existing text ..
    </system.web>
    <system.webServer>
    <security>
    <ipSecurity allowUnlisted="true">
    <add ipAddress="83.116.19.53"/>
    <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>
    </ipSecurity>
    </security>

    <httpRedirect enabled="true" destination="http://foo.com/newdir" httpResponseStatus="Permanent" />
    <modules runAllManagedModulesForAllRequests="true"/>
    </system.webServer>
    </configuration>





Web.config ipSecurity - Allow specific IP addresses, Deny all others

clock December 21, 2011 21:33 by author Victor Ratajczyk |

This article focuses on using web.config files to Permit access from specific IP addresses or specific IP networks. The "deny" security model is used in the remainder of this article. All hosts are denied, but a few specific IP addresses or IP networks are explicitly allowed.

Purpose
Web.config IP address restrictions can be used to restrict access to an entire web site, a sub directory of a web site, or even a single web page. The IP address restrictions are used to restrict access based on the IP address of the client (connecting) computer.

Denying all IP addresses, but allowing a few specific addresses, is useful in securing administrative or otherwise sensitive areas of a web site. I would recommend IP address restrictions in addition to user name and password restrictions.

Compatibility
The ipSecurity section of web.config is compatible with IIS 7 (w2k8) and IIS 7.5 (w2k8 r2).

Web.config files are deeply integrated with IIS 7.x. The ipSecurity restrictions listed in this article will apply to all protected files and directories (php, jpg, png, htm, etc), not just asp.net files.

While some web.config sections sometimes require that the containing directory is set as an application, this isn't one of them. A simple web.config with a ipSecurity section may be placed in any directory, and the directory does NOT need to be set as an application.

Prerequisites

  • Windows 2008 Server, IIS 7 (w2k8) or IIS 7.5 (w2k8 r2)
  • IIS sub feature: IP and Domain Restrictions
  • IPv4 IP Address and Domain Restrictions delegation set to: Read/Write


Examples

Example IP address restrictions. Comments are enclosed in <!-- --> and are not required

Permit specific IPs and networks, but deny all others.

<security>
	<!-- deny everybody -->
   <ipSecurity allowUnlisted="false">
   		<!-- "clear" removes all upstream restrictions -->
       <clear/>
       <<!-- permit the loopback address  -->
       <add ipAddress="127.0.0.1" allowed="true"/>
	    <!--permit network 83.116.119.0 to 83.116.119.255-->
       <add ipAddress="83.116.119.0" subnetMask="255.255.255.0" allowed="true"/>
   </ipSecurity>
</security>

 

Using IP Address Restrictions

  • Use a text editor to create a file named web.config
  • Save the web.config file with the appropriate content
  • Place the web.config file in the directory that you wish to protect

Detailed web.config content

  • If there isn't an existing web.config in the directory, your new web.config should look something like this           
    <?xml version="1.0"?>
    <configuration>
       <system.webServer>
          <security>
            <ipSecurity allowUnlisted="false">          
               <clear/>
               <add ipAddress="127.0.0.1" allowed="true"/>        
               <add ipAddress="83.116.119.0" subnetMask="255.255.255.0" allowed="true"/>     
            </ipSecurity>
          </security>
       </system.webServer>
    </configuration>
    
  • If there is an existing web config, without a <system.webServer> section... Your new web.config should look like this
    <?xml version="1.0"?>
    <configuration> <system.web>
    .. existing text ..
    .. existing text ..
    </system.web>
    <system.webServer> <security> <ipSecurity allowUnlisted="false"> <clear/> <add ipAddress="127.0.0.1" allowed="true"/> <add ipAddress="83.116.119.0" subnetMask="255.255.255.0" allowed="true"/> </ipSecurity> </security> </system.webServer> </configuration>
  • If your existing web.config already has a <system.webServer> section, just add the <security><ipSecurity> section
    <?xml version="1.0"?>
    <configuration>
    <system.web>
    .. existing text ..
    .. existing text ..
    </system.web>
    <system.webServer>
    <security> <ipSecurity allowUnlisted="false"> <clear/> <add ipAddress="127.0.0.1" allowed="true"/> <add ipAddress="83.116.119.0" subnetMask="255.255.255.0" allowed="true"/> </ipSecurity> </security>
    </system.webServer>
    </configuration>

 

 



Web.config ipSecurity - Deny specific IP addresses, Allow all others

clock December 21, 2011 19:52 by author Victor Ratajczyk |

This article focuses on using web.config files to Deny access from specific IP addresses or entire IP networks. The "allow" security model is used in the remainder of this article. All hosts are allowed, but a few specific IP addresses or IP networks are explicitly denied.

Purpose
Web.config IP address restrictions can be used to restrict access to an entire web site, a sub directory of a web site, or even a single web page. The IP address restrictions are used to restrict access based on the IP address of the client (connecting) computer.

Compatibility
The ipSecurity section of web.config is compatible with IIS 7 (w2k8) and IIS 7.5 (w2k8 r2).

Web.config files are deeply integrated with IIS 7.x. The ipSecurity restrictions listed in this article will apply to all protected files and directories (php, jpg, png, htm, etc), not just asp.net files.

While some web.config sections sometimes require that the containing directory is set as an application, this isn't one of them. A simple web.config with a ipSecurity section may be placed in any directory, and the directory does NOT need to be set as an application.

Prerequisites

  • Windows 2008 Server, IIS 7 (w2k8) or IIS 7.5 (w2k8 r2)
  • IIS sub feature: IP and Domain Restrictions
  • IPv4 IP Address and Domain Restrictions delegation set to: Read/Write


Examples

Example IP address restrictions. Comments are enclosed in <!-- --> and are not required

Deny specific IPs and networks, but allow all others.

<security>
	<!-- allow everybody, except those listed below -->
   <ipSecurity allowUnlisted="true">
   		<!-- "clear" removes all upstream restrictions -->
       <clear/>
	    <!-- deny the specific IP of 83.116.19.53  -->
       <add ipAddress="83.116.19.53"/>
	    <!--deny network 83.116.119.0 to 83.116.119.255-->
       <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>
	    <!--deny network 83.116.0.0 to 83.116.255.255-->
       <add ipAddress="83.116.0.0" subnetMask="255.255.0.0"/>
	    <!--deny entire /8 network of 83.0.0.0 to 83.255.255.255-->
       <add ipAddress="83.0.0.0" subnetMask="255.0.0.0"/>
   </ipSecurity>
</security> 


Using IP Address Restrictions

  • Use a text editor to create a file named web.config
  • Save the web.config file with the appropriate content
  • Place the web.config file in the directory that you wish to protect

Detailed web.config content

  • If there isn't an existing web.config in the directory, your new web.config should look something like this   
    <?xml version="1.0"?>
    <configuration>
       <system.webServer>
          <security>
            <ipSecurity allowUnlisted="true">          
               <clear/>
               <add ipAddress="83.116.19.53"/>        
               <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>     
            </ipSecurity>
          </security>
       </system.webServer>
    </configuration>
    
  • If there is an existing web config, without a <system.webServer> section... Your new web.config should look like this
    <?xml version="1.0"?>
    <configuration> <system.web>
    .. existing text ..
    .. existing text ..
    </system.web>
    <system.webServer> <security> <ipSecurity allowUnlisted="true"> <clear/> <add ipAddress="83.116.19.53"/> <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/> </ipSecurity> </security> </system.webServer> </configuration>
  • If your existing web.config already has a <system.webServer> section, just add the <security><ipSecurity> section
    <?xml version="1.0"?>
    <configuration>
    <system.web>
    .. existing text ..
    .. existing text ..
    </system.web>
    <system.webServer>
    <security> <ipSecurity allowUnlisted="true"> <clear/> <add ipAddress="83.116.19.53"/> <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/> </ipSecurity> </security>
    </system.webServer>
    </configuration>