Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it possible to configure a location in Web.config to only allow local connections

I've got a page in an ASP.Net app (its Mvc actually but not important) and I would like to only allow connections to this page from the local machine. I would love to do something like this in Web.config:

<location path="resources">
  <system.web>
    <authorization>
      <allow ips="local"/>
    </authorization>
  </system.web>
</location>  

I know this is possible with a simple check in the page code behind (or controller) and its even possible just with IIS configuration but I would love a Web.config config as this would be the most elegant solution in my opinion. Anyone know if this is possible?

like image 226
gatapia Avatar asked Feb 25 '10 21:02

gatapia


People also ask

What is location path in Web config?

The path attribute defines the site or virtual directory that the configuration settings cover. To specify that the settings in the <location> element apply to the default Web site, set the path attribute to Default Web Site .

What is Web config how many Web config files can be allowed to use in an application?

There is no restriction to use the web. config file in the asp.net web application. You can have 1 Web. config file per folder .

Is it safe to store connection string in Web config?

config based connectionstring as seems is unsafe, because one can read it. But think about it, if a person can read your web. config, means he can edit any file on your server anyways as he probably already hack or gain access to file.

What is protected configuration?

You can use protected configuration to encrypt sensitive information, including user names and passwords, database connection strings, and encryption keys, in a Web application configuration file such as the Web. config file.


3 Answers

You can ask IIS to restrict access to a resource by IP address from within the Web.config:

<location path="resources">
  <system.webServer>
    <security>
      <ipSecurity allowUnlisted="false">
        <clear/>
        <add ipAddress="127.0.0.1"/>
      </ipSecurity>
    </security>
  </system.webServer>
</location>

More info

EDIT: As Mike pointed it out in the comment below, this requires the IP and Domain Restrictions module to be installed. Thanks Mike!

like image 86
Daniel Avatar answered Oct 07 '22 19:10

Daniel


This isn't what you asked for, but you could specify users of  the local machine. I can't imagine this is practical unless it's a small number of users you're wanting to authorize.

<location path="resources">
  <system.web>
    <authorization>
      <allow users="LOCALMACHINENAME\UsernameOfTrustedUser"/>
      <deny users="*"/>
    </authorization>
  </system.web>
</location>
like image 37
lance Avatar answered Oct 07 '22 19:10

lance


  1. Invent a non-DNS alias for the machine, i.e. "PrivateHostName".
  2. Set this value in the local hosts file to point to 127.0.0.1.
  3. Set a (IIS) host header for the web site such that it only responds to requests to address "PrivateHostName".
  4. For all local calls use the private host name.

Remote clients will not be able to resolve the host name.

You could secure it more using a dedicated ip address tied to a virtual network adapter which would not actually respond to external requests.

like image 45
Jennifer Zouak Avatar answered Oct 07 '22 18:10

Jennifer Zouak