I have a legacy IIS web server (2008 R2) that is hosting a handful of WordPress sites. I need to restrict access to the login capability of WordPress (/wp-admin directory) to only a couple known IP addresses. Complicating this matter is the fact that this web server is behind an F5 load balancer, which overrides the true client IP (although I get the true IP via normal XFF header).
From what I understand there is the IP Address and Domain Restrictions IIS module which can allow blacklist/whitelist of a sub-directory like I need, but it isn't smart enough to handle proxy/Load-Balancer client IP translation. Then there is the Dynamic IP Restrictions IIS module, which is smart enough to handle proxy/Load-Balancer client IP translation, but it cannot handle creating rules on a subdirectory (only website-level granularity).
Is there a known way to handle this type of restriction in IIS? I'm sure I could restrict at the firewall or L/B, but I'm trying to get it done within IIS if possible.
Looks like the URL Rewrite module is a fairly straight-forward approach for this need. Something like the rule below will accomplish restricting certain URLs under a website (e.g., the pattern used can grab only a certain directory if desired).
<rule name="wordpress-login-restrictions" enabled="true" stopProcessing="true">
<match url="(^wp-admin)|(^wp-login.php)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTP_X_FORWARDED_FOR}" pattern="(^55\.55\.555\.555$)" negate="true" />
</conditions>
<action type="CustomResponse" statusCode="404" subStatusCode="44" statusReason="File or directory not found" statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." />
</rule>