IIS |阻止特定内部IP地址以外的页面特定URL

时间:2017-06-21 08:50:11

标签: iis url-rewrite-module

我正在尝试阻止所有IP地址的特定网址页面(http://www.testdomain.com/login)除外部管理员IP地址。我没有阻止模式 login 的问题,但我想在本地测试以确保内部管理IP被排除在/ login url的阻止规则之外。看看我到目前为止... 

<rewrite>
            <rules>
                <rule name="RequestBlockingRule1" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*login*" negate="false" />
                    <conditions logicalGrouping="MatchAny" trackAllCaptures="true">
                        <add input="{HTTP_X_Forwarded_For}" pattern="92.102.130.65" />
                    </conditions>
                    <action type="None" />
                </rule>
                <rule name="RequestBlockingRule2" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*" />
                    <conditions>
                        <add input="{URL}" pattern="*login*" />
                    </conditions>
                    <action type="CustomResponse" statusCode="404" statusReason="File or directory not found." statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." />
                </rule>

我还想要复制相同的规则,但查询字符串为http://www.testdomain.com/home.aspx ?ctl = login 

                <rule name="RequestBlockingRule3" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*ctl=login*" negate="false" />
                    <conditions logicalGrouping="MatchAny" trackAllCaptures="true">
                        <add input="{HTTP_X_Forwarded_For}" pattern="93.107.170.85" />
                    </conditions>
                    <action type="None" />
                </rule>
                <rule name="RequestBlockingRule4" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*" />
                    <conditions>
                        <add input="{QUERY_STRING}" pattern="*ctl=login*" />
                    </conditions>
                    <action type="CustomResponse" statusCode="404" statusReason="File or directory not found." statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." />
                </rule>
            </rules>
        </rewrite>

我所做的是尝试排除特定模式的内部IP,然后遵循实际的阻止规则。有没有人知道a)一个更好的选择或b)看看我可能做错了什么或者做错了(理想情况下我想在使用真实IP地址在实际服务器上使用它们之前在本地测试这些规则)。感谢

1 个答案:

答案 0 :(得分:4)

我想建议使用一种不同的方式:

  • 使用重写地图列入白名单IP列表
  • 仅使用两个规则,不要使用<action type="None" />

配置代码是:

<rewrite>
   <rules>
         <rule name="Block login page" stopProcessing="true">
            <match url="^login$" />
            <conditions>
              <add input="{Authorised Admin IPs:{REMOTE_ADDR}}" pattern="1" negate="true" />
            </conditions>
            <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
          </rule>
          <rule name="Block query string" stopProcessing="true">
            <match url=".*" />
            <conditions>
                <add input="{Authorised Admin IPs:{REMOTE_ADDR}}" pattern="1" negate="true" />
                <add input="{QUERY_STRING}" pattern="ctl=login" />
            </conditions>
            <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
        </rule>
    </rules>
    <rewriteMaps> 
        <!-- This is your list of white-listed IP's-->
        <rewriteMap name="Authorised Admin IPs">
            <add key="92.102.130.65" value="1" />
            <add key="93.107.170.85" value="1" />
            <!-- local IPs-->
            <add key="127.0.0.1" value="1" />
            <add key="localhost" value="1" />
            <add key="::1" value="1" />
        </rewriteMap>         
    </rewriteMaps>
</rewrite>

此规则阻止所有用户使用此网址的所有请求,其中包含非白名单的IP

在上面的配置中,我正在使用{REMOTE_ADDR}。但您可能需要使用{HTTP_X_Forwarded_For}。这取决于您的网络基础设施(如果您有代理或负载均衡器)

您可以通过添加/删除本地IP表单重写映射

在本地测试此规则
相关问题
最新问题