Search code examples
asp.netazureiisepiserver

How to restrict access to section of website running on Azure

I have an Episerver website running on Azure and, for security reasons, i would like to block access to any requests to the cms admin section using a white list of ip addresses.

I have done this in the past with websites running on windows server but i have never done this on an Azure hosted site. I have tried the approach i took on previous sites, adding a security section to the web.config for the location i am trying to restrict eg:

<location path="cms/admin">
 <system.webServer>
  </ipSecurity>
   <add allowed="true" ipAddress="{my ip address}" subnetMask="255.255.255.255" />
...
  </security>
 </system.webServer>
</location>

this works locally but it is not working when i deploy the web.config to Azure. it is preventing any users, including those in the whitelist from accessing the location.

I have also looked into making the changes in portal.azure using aplication->networking->Access-restrictions but this looks like it is intended to control access to the whole app, which is not what i want.

Does anybody know if i am doing this incorrectly, specifically for an Azure website? Is there a setting in access-restrictions that i have missed?

thanks

Sam

Solution

  • We solved this using url rewrite module, as others have suggested. We also realised that the ip address being passed in was not the true request origin IP address because of the cloudflare CDN. luckily the origin ip address is included in the rerouted request from Cloudflare so we were able to make this work using the url rewrite rule below. I have added this as the correct answer to the question because Jalpa's answer technically won't work in my specific context:

    <rewrite>
    <rules>
        <rule name="restrict admin access by IP address" stopProcessing="true">
            <match url="(.*)" />
            <conditions logicalGrouping="MatchAll">
                <add input="{REQUEST_URI}" pattern="^/admin/login(.*)" />
                <!-- localhost -->
                <add input="{HTTP_True_Client_IP}" pattern="^127\.0\.0\.1$" negate="true"/>
                <!-- my office -->
                <add input="{HTTP_True_Client_IP}" pattern="^{your ip address here}$" negate="true"/>
            </conditions>
            <action type="CustomResponse" statusCode="404" statusReason="Not Found" statusDescription="The resource you are looking for has been removed, had its name changed, or is temporarily unavailable." />
        </rule>
    </rules>
</rewrite>