For an ASP.NET C# application, we will need to restrict access based on IP address. What is the best way to accomplish this?
问题:
回答1:
In IIS 7 best way to restrict IP is by using the config file.
Full article:
http://boseca.blogspot.com/2010/12/programmatically-addremove-ip-security.html
回答2:
One way is using a HttpModule.
From the link (in case it ever goes away):
/// <summary>
/// HTTP module to restrict access by IP address
/// </summary>
public class SecurityHttpModule : IHttpModule
{
public SecurityHttpModule() { }
public void Init(HttpApplication context)
{
context.BeginRequest += new EventHandler(Application_BeginRequest);
}
private void Application_BeginRequest(object source, EventArgs e)
{
HttpContext context = ((HttpApplication)source).Context;
string ipAddress = context.Request.UserHostAddress;
if (!IsValidIpAddress(ipAddress))
{
context.Response.StatusCode = 403; // (Forbidden)
}
}
private bool IsValidIpAddress(string ipAddress)
{
return (ipAddress == "127.0.0.1");
}
public void Dispose() { /* clean up */ }
}
Once the HTTP Module class is built you need to register it in the httpModules section of your web.config file, like this:
<configuration>
<system.web>
<httpModules>
<add name="SecurityHttpModule" type="SecurityHttpModule"/>
</httpModules>
</system.web>
</configuration>
This adds the module to the ASP.NET request pipeline for your web application.
回答3:
Here is an article from Microsoft on how to do this.
Setting Folder Security by IP Address or Domain Name
Apache uses the Allow and Deny directives to determine the sites that can access a particular Web site or folder. However, Apache provides discretionary access control; you must either deny all sites and provide a specific list of sites or IP addresses that can access a folder or allow all sites and deny only those sites that you do not want to have access. For example, if you use the following directive, all client computers are denied access unless they are recognized as part of the domain.com domain:
Deny from all
Allow from .domain.com
IIS works the same way. All clients are specifically denied or granted access, except for those that are listed.
Define Access Control for Specific Folder or Site
- Log on to the Web server computer as an administrator.
- Click Start, point to Settings, and then click Control Panel.
- Double-click Administrative Tools, and then double click Internet Services Manager.
If you want to limit access for the whole site, select the Web site from the list of different served sites in the left pane.
If you want to limit access only for a specific folder, click the folder you want to control.
- Right-click the Web site or folder, and then click Properties.
- Click the Directory Security panel.
- If you want to limit access to a specific set of sites but deny access to all other sites, click Denied Access.
- If you want to grant access to all clients by default but exclude a specific list of clients, click Granted Access.
- To update the list of hosts or domains in the Except list, click Add.
- To add a single computer to the list, click Single computer, type the IP address in the appropriate box, and then click OK.
- To add a range of computers in a specific address range, click Group of computers, type the IP address for the network in the appropriate box, type the subnet mask for the network range you want to configure, and then click OK.
- To add computers by their identified domain name, click Domain name, and then type the domain name in the appropriate box.
- Click Properties, type the domain name, and then click OK.
- Click OK, and then click OK.
NOTE: If you use domain name restrictions, the server has to perform a reverse DNS lookup for each request to check the host's registered domain name. Microsoft recommends that you use an IP address or network range whenever you can.