Thursday, 19 December 2013

How to Restrict Access by IP in ASP.NET MVC and Azure

There are several ways to do this including using HTTP Modules here and here or creating an Action Filter in ASP.NET MVC like this.

They are all working and useful to be used based on your requirement. But there are some pros and cons with them in different situations. Consider that you need to filter the access to some sub-folders of your web application without making them as an IIS application, then the HTTP module method may not work for you any more or you may don’t want to hard code every single folder in your Action Filter.

The best practice to do it, if you are using IIS 7+, is to use ipSecurity configuration settings and you can use IP ranges and subnet masks out of the box with just simple steps to deny or allow the access. Some examples:

Allow all, but block specific IPs or networks
<security>

   <!-- this line allows everybody, except those listed below -->
   <ipSecurity allowUnlisted="true"> 

       <!-- removes all upstream restrictions -->
       <clear/>

       <!-- blocks the specific IP of 83.116.19.53  -->
       <add ipAddress="83.116.19.53"/>

       <!--blocks network 83.116.119.0 to 83.116.119.255-->
       <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>

       <!--blocks network 83.116.0.0 to 83.116.255.255-->
       <add ipAddress="83.116.0.0" subnetMask="255.255.0.0"/>

       <!--blocks entire /8 network of 83.0.0.0 to 83.255.255.255-->
       <add ipAddress="83.0.0.0" subnetMask="255.0.0.0"/>

   </ipSecurity>
</security>

Deny all, but allow specific IPs or networks
<security>

    <!-- this line blocks everybody, except those listed below --> 
    <ipSecurity allowUnlisted="false"> 

       <!-- removes all upstream restrictions -->
       <clear/> 

       <!-- allow requests from the local machine -->
       <add ipAddress="127.0.0.1" allowed="true"/>

       <!--allow network 83.116.119.0 to 83.116.119.255-->
       <add ipAddress="83.116.119.0" subnetMask="255.255.255.0" allowed="true"/> 

       <!-- allow the specific IP of 83.116.19.53  --> 
       <add ipAddress="83.116.19.53" allowed="true"/>  

       <!--allow network 83.116.0.0 to 83.116.255.255-->
       <add ipAddress="83.116.0.0" subnetMask="255.255.0.0" allowed="true"/> 

       <!--allow entire /8 network of 83.0.0.0 to 83.255.255.255-->
       <add ipAddress="83.0.0.0" subnetMask="255.0.0.0" allowed="true"/> 

    </ipSecurity>

</security>


To do this on your local or on-premise IIS:

  1. You need to add this feature to your IIS here 
  2. Unlock the feature by running this command in your command prompt %windir%\system32\inetsrv\AppCmd.exe unlock config -section:system.webServer/security/ipSecurity
  3. Add proper configuration to your root web.config by using location tag or add new web.config for each folder you want to limit the access to it.

<location path="YOUR-FOLDER-PATH">

    <system.webServer>

      <security>

        <ipSecurity allowUnlisted="false">

          <clear/>

          <add ipAddress="1.*.*.*"/>

        </ipSecurity>

      </security>

    </system.webServer>

  </location>


The trick for ASP.NET MVC areas is that you need to use the virtual path or route for your folders or routes. For example, if you have an Admin area in your web application the MVC route for it will be /Admin and not Areas/Admin. So you might need to add two location settings to limit the access to your admin area like this:

<location path="Admin">

    <system.webServer>

      <security>

        <ipSecurity allowUnlisted="false">

          <clear/>

          <add ipAddress="127.*.*.*"/>

          <add ipAddress="1.*.*.*"/>

          <add ipAddress="192.*.*.*"/>

        </ipSecurity>

      </security>

    </system.webServer>

  </location>

  <location path="Areas/Admin">

    <system.webServer>

      <security>

        <ipSecurity allowUnlisted="false">

          <clear/>

          <add ipAddress="127.*.*.*"/>

          <add ipAddress="1.*.*.*"/>

          <add ipAddress="192.*.*.*"/>

        </ipSecurity>

      </security>

    </system.webServer>

  </location>

Azure

It turns out that IIS7 doesn’t have the module or role installed for IP Security in Azure (or any Windows 2008 Server) by default. Therefore we must go ahead and install the module ourselves, before the application starts. The way to achieve this is to create a startup task. In this task, first you need to install “IPv4 Address and Domain Restrictions” feature and then Unlocking configuration for “IPv4 Address and Domain Restrictions feature.
To do this, create a new folder at the root level of your web role called startup and, within this folder, create a batch file called startup.cmd. Set the properties of this file to Copy Always to ensure that it will be deployed. In this file we are going to put some shell commands to make the Web Role installs the correct IIS module during its startup. Those commands are:

@echo off

@echo Installing "IPv4 Address and Domain Restrictions" feature

%windir%System32ServerManagerCmd.exe -install Web-IP-Security

@echo Unlocking configuration for "IPv4 Address and Domain Restrictions" feature

%windir%system32inetsrvAppCmd.exe unlock config -section:system.webServer/security/ipSecurity


Then go into the ServiceDefinition.csdef of your Web Role and add the startup task under WebRole tag like so:

<Startup>

<Task commandLine="startup\startup.cmd" executionContext="elevated" taskType="background" />

</Startup>


Note that this startup task type is background. This task would be independent from the Role itself. First, startup task will execute and immediately after the Role, and even when this task is not completed, the Role will start separately from the startup task. So if something goes wrong in the task, your web role won’t fail.
Now you can have the same web configuration as above to restrict the access to some folders.

5 comments:

  1. Scrum is undeniably the winner of the agile method wars. Thanks to the scrumstudy.com's vast network of Certified Scrum Trainers and Agile Certification Courses.

    ReplyDelete
  2. Organizations need to be assured the individuals that manage their projects can integrate methods to achieve sustainability goals and still achieve project specific objectives. Project Managers need credentials that validate their proficiency with these specialized qualities. PMP Certified and scrum certified project managers can learn, apply, and validate mastery of sustainability based project methods to meet these demands.

    ReplyDelete
  3. The restriction in the asp.net makes it to deliver the more secure website for any business, that is why people prefer to hire asp.net developers for their web related work. It takes more load time, but it is managed by seo professionals.

    ReplyDelete
  4. Excellent examples of code!
    The information is laid out very well, thank you for your work!
    Richard Brown data rooms

    ReplyDelete
  5. Anyone in that domain can then get access to the IP address and come to know which computer it belongs to. Since IP addresses are unique to computers, this is very easy to do. hiding ip address

    ReplyDelete