IIS |除特定的内部IP地址以外的阻止页面特定的URL
问题描述:
我试图阻止所有IP地址特定的URL页面(http://www.testdomain.com/login),除了内部管理员IP地址。我没有任何问题阻止登录但我想在本地进行测试以确保内部管理IP从/ login url的阻止规则中排除。看看我迄今为止... IIS |除特定的内部IP地址以外的阻止页面特定的URL
<rewrite>
<rules>
<rule name="RequestBlockingRule1" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
<match url="*login*" negate="false" />
<conditions logicalGrouping="MatchAny" trackAllCaptures="true">
<add input="{HTTP_X_Forwarded_For}" pattern="92.102.130.65" />
</conditions>
<action type="None" />
</rule>
<rule name="RequestBlockingRule2" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions>
<add input="{URL}" pattern="*login*" />
</conditions>
<action type="CustomResponse" statusCode="404" statusReason="File or directory not found." statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." />
</rule>
我也希望是重复相同的规则,但对于http://www.testdomain.com/home.aspx查询字符串?CTL =登录
<rule name="RequestBlockingRule3" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
<match url="*ctl=login*" negate="false" />
<conditions logicalGrouping="MatchAny" trackAllCaptures="true">
<add input="{HTTP_X_Forwarded_For}" pattern="93.107.170.85" />
</conditions>
<action type="None" />
</rule>
<rule name="RequestBlockingRule4" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions>
<add input="{QUERY_STRING}" pattern="*ctl=login*" />
</conditions>
<action type="CustomResponse" statusCode="404" statusReason="File or directory not found." statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." />
</rule>
</rules>
</rewrite>
我有什么完成尝试排除特定模式的内部IP,然后跟随实际的阻止规则。有人知道a)更好的选择,或b)看看我可能会或可能没有做错(理想情况下,我想在本地测试这些规则,然后在使用真实IP地址的实际服务器上使用它们)。由于
答
我想建议使用有点不同的方式:
- 使用重写地图为您列入白名单的IP列表
- 仅使用两个规则,并且不使用
<action type="None" />
配置代码是:
<rewrite>
<rules>
<rule name="Block login page" stopProcessing="true">
<match url="^login$" />
<conditions>
<add input="{Authorised Admin IPs:{REMOTE_ADDR}}" pattern="1" negate="true" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="Block query string" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{Authorised Admin IPs:{REMOTE_ADDR}}" pattern="1" negate="true" />
<add input="{QUERY_STRING}" pattern="ctl=login" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
</rules>
<rewriteMaps>
<!-- This is your list of white-listed IP's-->
<rewriteMap name="Authorised Admin IPs">
<add key="92.102.130.65" value="1" />
<add key="93.107.170.85" value="1" />
<!-- local IPs-->
<add key="127.0.0.1" value="1" />
<add key="localhost" value="1" />
<add key="::1" value="1" />
</rewriteMap>
</rewriteMaps>
</rewrite>
此规则阻止该网址的所有请求的所有用户,其中有非白名单的IP
- http://www.testdomain.com/login
- 任何URL,它上面有
ctl=login
查询字符串
在我的配置,我正在使用{REMOTE_ADDR}
。但您可能需要使用{HTTP_X_Forwarded_For}
。这取决于你的网络基础设施(如果你有代理或负载平衡器)
您可以测试此通过添加/删除本地IP形式重写地图
感谢维克多,是的伟大工程在当地规矩!太多清洁剂了。 – denisjoconnor