IIS |除特定的内部IP地址以外的阻止页面特定的URL

Question

我试图阻止所有IP地址特定的URL页面（http://www.testdomain.com/login），除了内部管理员IP地址。我没有任何问题阻止登录但我想在本地进行测试以确保内部管理IP从/ login url的阻止规则中排除。看看我迄今为止...

<rewrite> 
      <rules> 
       <rule name="RequestBlockingRule1" enabled="true" patternSyntax="Wildcard" stopProcessing="true"> 
        <match url="*login*" negate="false" /> 
        <conditions logicalGrouping="MatchAny" trackAllCaptures="true"> 
         <add input="{HTTP_X_Forwarded_For}" pattern="92.102.130.65" /> 
        </conditions> 
        <action type="None" /> 
       </rule> 
       <rule name="RequestBlockingRule2" patternSyntax="Wildcard" stopProcessing="true"> 
        <match url="*" /> 
        <conditions> 
         <add input="{URL}" pattern="*login*" /> 
        </conditions> 
        <action type="CustomResponse" statusCode="404" statusReason="File or directory not found." statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." /> 
       </rule> 

我也希望是重复相同的规则，但对于http://www.testdomain.com/home.aspx查询字符串？CTL =登录

   <rule name="RequestBlockingRule3" enabled="true" patternSyntax="Wildcard" stopProcessing="true"> 
        <match url="*ctl=login*" negate="false" /> 
        <conditions logicalGrouping="MatchAny" trackAllCaptures="true"> 
         <add input="{HTTP_X_Forwarded_For}" pattern="93.107.170.85" /> 
        </conditions> 
        <action type="None" /> 
       </rule> 
       <rule name="RequestBlockingRule4" patternSyntax="Wildcard" stopProcessing="true"> 
        <match url="*" /> 
        <conditions> 
         <add input="{QUERY_STRING}" pattern="*ctl=login*" /> 
        </conditions> 
        <action type="CustomResponse" statusCode="404" statusReason="File or directory not found." statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." /> 
       </rule> 
      </rules> 
     </rewrite> 

我有什么完成尝试排除特定模式的内部IP，然后跟随实际的阻止规则。有人知道a）更好的选择，或b）看看我可能会或可能没有做错（理想情况下，我想在本地测试这些规则，然后在使用真实IP地址的实际服务器上使用它们）。由于

Answer 1

我想建议使用有点不同的方式：

• 使用重写地图为您列入白名单的IP列表
• 仅使用两个规则，并且不使用<action type="None" />

配置代码是：

<rewrite> 
    <rules> 
     <rule name="Block login page" stopProcessing="true"> 
      <match url="^login$" /> 
      <conditions> 
       <add input="{Authorised Admin IPs:{REMOTE_ADDR}}" pattern="1" negate="true" /> 
      </conditions> 
      <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" /> 
      </rule> 
      <rule name="Block query string" stopProcessing="true"> 
      <match url=".*" /> 
      <conditions> 
       <add input="{Authorised Admin IPs:{REMOTE_ADDR}}" pattern="1" negate="true" /> 
       <add input="{QUERY_STRING}" pattern="ctl=login" /> 
      </conditions> 
      <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" /> 
     </rule> 
    </rules> 
    <rewriteMaps> 
     <!-- This is your list of white-listed IP's--> 
     <rewriteMap name="Authorised Admin IPs"> 
      <add key="92.102.130.65" value="1" /> 
      <add key="93.107.170.85" value="1" /> 
      <!-- local IPs--> 
      <add key="127.0.0.1" value="1" /> 
      <add key="localhost" value="1" /> 
      <add key="::1" value="1" /> 
     </rewriteMap>   
    </rewriteMaps> 
</rewrite> 

此规则阻止该网址的所有请求的所有用户，其中有非白名单的IP

• http://www.testdomain.com/login
• 任何URL，它上面有ctl=login查询字符串

在我的配置，我正在使用{REMOTE_ADDR}。但您可能需要使用{HTTP_X_Forwarded_For}。这取决于你的网络基础设施（如果你有代理或负载平衡器）

您可以测试此通过添加/删除本地IP形式重写地图