Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it possible to configure a location in Web.config to only allow local connections

Tags:

asp.net

web-config

I've got a page in an ASP.Net app (its Mvc actually but not important) and I would like to only allow connections to this page from the local machine. I would love to do something like this in Web.config:

<location path="resources">
  <system.web>
    <authorization>
      <allow ips="local"/>
    </authorization>
  </system.web>
</location>

I know this is possible with a simple check in the page code behind (or controller) and its even possible just with IIS configuration but I would love a Web.config config as this would be the most elegant solution in my opinion. Anyone know if this is possible?

like image 226
gatapia Avatar asked Feb 25 '10 21:02

gatapia

People also ask

What is location path in Web config?

The path attribute defines the site or virtual directory that the configuration settings cover. To specify that the settings in the <location> element apply to the default Web site, set the path attribute to Default Web Site .

What is Web config how many Web config files can be allowed to use in an application?

There is no restriction to use the web. config file in the asp.net web application. You can have 1 Web. config file per folder .

Is it safe to store connection string in Web config?

config based connectionstring as seems is unsafe, because one can read it. But think about it, if a person can read your web. config, means he can edit any file on your server anyways as he probably already hack or gain access to file.

What is protected configuration?

You can use protected configuration to encrypt sensitive information, including user names and passwords, database connection strings, and encryption keys, in a Web application configuration file such as the Web. config file.

3 Answers

You can ask IIS to restrict access to a resource by IP address from within the Web.config:

<location path="resources">
  <system.webServer>
    <security>
      <ipSecurity allowUnlisted="false">
        <clear/>
        <add ipAddress="127.0.0.1"/>
      </ipSecurity>
    </security>
  </system.webServer>
</location>

More info

EDIT: As Mike pointed it out in the comment below, this requires the IP and Domain Restrictions module to be installed. Thanks Mike!

like image 86
Daniel Avatar answered Oct 07 '22 19:10

Daniel

This isn't what you asked for, but you could specify users of  the local machine. I can't imagine this is practical unless it's a small number of users you're wanting to authorize.

<location path="resources">
  <system.web>
    <authorization>
      <allow users="LOCALMACHINENAME\UsernameOfTrustedUser"/>
      <deny users="*"/>
    </authorization>
  </system.web>
</location>
like image 37
lance Avatar answered Oct 07 '22 19:10

lance
  1. Invent a non-DNS alias for the machine, i.e. "PrivateHostName".
  2. Set this value in the local hosts file to point to 127.0.0.1.
  3. Set a (IIS) host header for the web site such that it only responds to requests to address "PrivateHostName".
  4. For all local calls use the private host name.

Remote clients will not be able to resolve the host name.

You could secure it more using a dedicated ip address tied to a virtual network adapter which would not actually respond to external requests.

like image 45
Jennifer Zouak Avatar answered Oct 07 '22 18:10

Jennifer Zouak
Sign in to Comment

Related questions

What is the equivalent "aspnet_regiis -lk" on Windows 7?
IAuthenticationRequest.RedirectToProvider is not supposed to return, yet it does
ObjectDataSource cannot find type when deployed to SharePoint
unzipping a file using c#
'Caching' a large table in ASP.NET
Multi tenant membership provider ASP.NET MVC
how to get the focus to a button on pressing the "enter" key in the key board
How to make a DropDownList control display some items in bold ASP.NET
Display web page from another site in asp page
ASP.NET SiteMap - Is there a way to programatically see if it contains a page without iterating through each node individually
How to find the data key on CheckedChanged event of checkbox in ListView in ASP.NET?
How to use ASP.Net server controls inside of Substitution control?
How does tiny url work
Is it possible to deploy an ASP.NET application as desktop application (with server component)
How can i upload file size 1.25GB in ASP.NET MVC
Multilanguage web site
jQuery call __doPostBack on LinkButton
ASP.NET webservice authentication from an iPhone app
asp.net mailmessage BCC and CC won't work
NancyFx and Windows Authentication

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!