Restricting environment access IPV6

Vote:
 

A client has given me an IPv6 to add into the restrictions sections of the web.config 

For all Ipv4 we have followed this article : https://world.episerver.com/digital-experience-cloud-service/dxc-security/restricting-environment-access/ 

How can i add an IPv6 to this 

Thanks in advance

#203939
May 13, 2019 12:20
Vote:
 

Rather than using url rewrite to restrict access to the sites, you could maybe make use of the ipSecurity configuration element.

https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/ipsecurity/

My understanding is that although the documentation suggests it only supports IPv4, IPv6 addresses can be used too - https://blogs.iis.net/nazim/using-ipv6-with-iis7

<ipSecurity allowUnlisted="false">
    <add ipAddress="10.199.199.199" allowed="true" />
    <add ipAddress="12.14.0.0" subnetMask="255.255.0.0" allowed="true" />
    <add ipAddress="2001:4898:2a:5:c4ad:9291:22b1:c870" subnetMask="ffff:ffff::" allowed="true" />
</ipSecurity >

If the above doesn't work for you, you could always add some custom logic into Application_BeginRequest to test the IPs and return the response you require.

#203943
Edited, May 13, 2019 17:08
Vote:
 

Thank you Tom, I was unfamiliar with this approach it defintly looks a lot neater and can use CIDR by the looks of it. :) 

Edit: I dont believe this will work on an Azure Web App 

#203958
Edited, May 14, 2019 15:20
Vote:
 

I believe Azure web apps have their own restrictions - https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions

#203962
May 14, 2019 16:12
Vote:
 

Yup they do Tom although Episerver do not allow access to this section as part of the Azure Access, thus recommending the approach in my original article and using rewrites. 

#203963
May 14, 2019 16:16
Vote:
 

Ahh I didn't realise you didn't have that access. I think if none of the configuration approaches work you may need to write some code to process the requests. I've done something similar in the past making use of the Application_BeginRequest to test the IP against a list of IPs defined in config and return a 404 if they don't match. 

#203993
May 15, 2019 16:06