IIS: whitelist only website with ipSecurity - iis

I'd like to make my website accessible only by a few IP addresses. I've added the <ipSecurity> tag but it seems to get ignored.
This is my current config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers>
<remove name="PHP" />
<add name="PHP" path="*.php" verb="*" modules="CgiModule" scriptProcessor="C:\PHP\5.4.0\php-cgi.exe" resourceType="File" requireAccess="Script" />
</handlers>
<defaultDocument>
<files>
<remove value="index.htm" />
<remove value="index.html" />
<remove value="index.asp" />
<add value="index.html" />
<add value="index.php" />
<add value="index.asp" />
</files>
</defaultDocument>
<httpErrors errorMode="Detailed" />
</system.webServer>
<location path="Default Web Site">
<system.webServer>
<security>
<ipSecurity allowUnlisted="false">
<add ipAddress="79.1.2.3" />
</ipSecurity>
</security>
</system.webServer>
</location>
</configuration>
But the site is accessible by everywhere.
If I add the <security> block inside <system.webServer> then no IP can see the site, not even the one listed, by getting 403.
What's wrong?

Try to add below code in your site web.config file:
<system.webServer>
<security>
<ipSecurity allowUnlisted="true">
<add ipAddress="ip" allowed="true" /> <!--allow-->
<add ipAddress="ip" allowed="false" /> <!--deny-->
</ipSecurity>
</security>
deny:
allow:
Regards,
Jalpa

Related

IIS Authentication Tab doesn't open on double click

This is the operation i'm doing:
Open IIS Console
Select the Website
Double click at Authentication Icon
When I click this error occurs, only at that site (I have many sites configured, and this is the only one that I'm getting this error)
And then the panel show me that, and don't let me change the Authentication type. I need to Allow Anonimous Authentication, but I can't because of this error.
When I click Enable or Edit, the same pop-up error came up.
And also, when I try to access the website in any browser, I get this message:
My web.config file:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\IdentityServer.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" forwardWindowsAuthToken="true" startupTimeLimit="3600" requestTimeout="23:00:00" hostingModel="InProcess">
<environmentVariables>
<environmentVariable name="ASPNETCORE_ENVIRONMENT" value="Development" />
<environmentVariable name="COMPLUS_ForceENC" value="1" />
<environmentVariable name="ASPNETCORE_HTTPS_PORT" value="44339" />
</environmentVariables>
</aspNetCore>
<security>
<requestFiltering>
<verbs>
<add verb="PUT" allowed="true" />
<add verb="DELETE" allowed="true" />
</verbs>
<requestLimits maxQueryString="4096" />
</requestFiltering>
</security>
<modules runAllManagedModulesForAllRequests="false">
<remove name="WebDAVModule" />
</modules>
<httpProtocol>
<customHeaders>
<remove name="X-Xss-Protection" />
<!--<add name="X-Xss-Protection" value="1; mode=block" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="Content-Security-Policy" value="script-src 'self' h.online-metrix.net 'unsafe-inline' 'unsafe-eval'; object-src 'self' h.online-metrix.net; frame-src 'self' h.online-metrix.net; default-src 'self' h.online-metrix.net;" />-->
</customHeaders>
</httpProtocol>
</system.webServer>
<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" />
</system.web>
</configuration>
<!--ProjectGuid: 3ACFC0B0-4FDD-4549-AFBD-C3FF653F5886-->
Thanks in advance for any help

Adding x-frame-Options in web.config return error 500

I added X-frame-Options in my web.config.
This is my web.config
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
After restarting IIS I got 500 error!!!
Can someone help me to find out the problem?
Modify your customHeaders as below:
<customHeaders>
<clear />
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
I suspect that your application is located within a virtual folder, if that's the case then two web.config files are processed. First is the global one, the the second time is yours. So you end up having two collection of customHeaders.
Blog post IIS 7: But why do I get a 500.19 explains in more details why it is happening and how to fix it.
Your location to add CustomHeaders is wrong. Correct location is :
....
</system.web>
<system.webServer>
<security>
<requestFiltering>
<verbs allowUnlisted="true">
<add verb="OPTIONS" allowed="false" />
</verbs>
</requestFiltering>
</security>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="ALLOW" />
<remove name="X-Powered-By" />
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>
<modules>
<remove name="FormsAuthentication" />
</modules>
</system.webServer>
....
Other option is Useful for your application security.

Access denied for login page even though i set the tag location in web.config file

I have a problem with form authentication from IIS. The problem is that i can't access the login.html file, even though a put the tag location in my web.config file. I use only form authentication.
Here is my config file:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<appSettings>
<add key="autoFormsAuthentication" value="false" />
<add key="enableSimpleMembership" value="false"/>
</appSettings>
<system.web>
<authentication mode="Forms">
<forms loginUrl="login.html" name="formsauth1" timeout="60" defaultUrl="index.html">
<credentials passwordFormat="Clear">
<user name="username" password="pass" />
</credentials>
</forms>
</authentication>
</system.web>
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" preCondition="" />
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" preCondition="" />
</modules>
</system.webServer>
<location path="login.html">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>

Unrecognized configuration section system.ftpServer for azure

I'm trying to configure web.config for my Azure web app service. I want to restrict the ftp access to only specific URLs. But when i am adding the tag, it is giving me the error -
Parser Error Message: Unrecognized configuration section system.ftpServer.
Can you please guide me where i am doing the mistake.
Thanks in advance
My Web.config file -
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<customErrors mode="Off" />
</system.web>
<system.webServer>
<httpErrors errorMode="Detailed" />
</system.webServer>
<location path="<<FTP hostname>>">
<system.ftpServer>
<security>
<authorization>
<add accessType="Allow" roles="administrators" permissions="Read, Write" />
</authorization>
<requestFiltering>
<fileExtensions allowUnlisted="true">
<add fileExtension=".exe" allowed="false" />
<add fileExtension=".bat" allowed="false" />
<add fileExtension=".cmd" allowed="false" />
</fileExtensions>
<requestLimits maxAllowedContentLength="1000000" maxUrl="1024" />
<hiddenSegments>
<add segment="_vti_bin" />
</hiddenSegments>
</requestFiltering>
<ipSecurity enableReverseDns="false" allowUnlisted="true">
<add ipAddress="127.0.0.1" allowed="true" />
<add ipAddress="169.254.0.0" subnetMask="255.255.0.0" allowed="false" />
</ipSecurity>
</security>
</system.ftpServer>
</location>
Some verisons of IIS donot support 'system.ftpServer' configuration or you need to download ftp module manually. You can reference the artice https://www.iis.net/configreference/system.ftpserver and check your IIS version.

how to set web.config default page for php index file

I'm trying to start my web site on iis server and I use php for that.
every thing is fine on server but defaultDocument.
how can I set that on web.config file.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<defaultDocument enabled="true">
<files>
<remove value="default.aspx" />
<remove value="iisstart.htm" />
<remove value="index.html" />
<remove value="index.htm" />
<remove value="Default.asp" />
<remove value="Default.htm" />
<add value="index.php" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
this is the default xml and I try other thing like:
<clear />
or try to remove other pages...
any Idea how can I set this file?
after some more researches, the only suitable config was this...
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="index.php" />
<add value="index.html" />
<add value="index.htm" />
</files>
</defaultDocument>
</system.webServer>
<system.data>
<DbProviderFactories>
<remove invariant="System.Data.SqlServerCe.4.0" />
<add invariant="System.Data.SqlServerCe.4.0" name="Microsoft® SQL Server® Compact 4.0" description=".NET Framework Data Provider for Microsoft SQL Server Compact" type="System.Data.SqlServerCe.SqlCeProviderFactory, System.Data.SqlServerCe, Version=4.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" />
</DbProviderFactories>
</system.data>
</configuration>

Resources