November Happy Hour will be moved to Thursday December 5th.

AI OnAI Off

Restricting environment access IPV6

Minesh Shah (Netcel)
Minesh Shah (Netcel)
Vote:
 

A client has given me an IPv6 to add into the restrictions sections of the web.config 

For all Ipv4 we have followed this article : https://world.episerver.com/digital-experience-cloud-service/dxc-security/restricting-environment-access/ 

How can i add an IPv6 to this 

Thanks in advance

#203939
May 13, 2019 12:20
Tom Dickie
Tom Dickie
Vote:
 

Rather than using url rewrite to restrict access to the sites, you could maybe make use of the ipSecurity configuration element.

https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/ipsecurity/

My understanding is that although the documentation suggests it only supports IPv4, IPv6 addresses can be used too - https://blogs.iis.net/nazim/using-ipv6-with-iis7

<ipSecurity allowUnlisted="false">
    <add ipAddress="10.199.199.199" allowed="true" />
    <add ipAddress="12.14.0.0" subnetMask="255.255.0.0" allowed="true" />
    <add ipAddress="2001:4898:2a:5:c4ad:9291:22b1:c870" subnetMask="ffff:ffff::" allowed="true" />
</ipSecurity >

If the above doesn't work for you, you could always add some custom logic into Application_BeginRequest to test the IPs and return the response you require.

#203943
Edited, May 13, 2019 17:07
Minesh Shah (Netcel)
Minesh Shah (Netcel)
Vote:
 

Thank you Tom, I was unfamiliar with this approach it defintly looks a lot neater and can use CIDR by the looks of it. :) 

Edit: I dont believe this will work on an Azure Web App 

#203958
Edited, May 14, 2019 15:18
Tom Dickie
Tom Dickie
Vote:
 

I believe Azure web apps have their own restrictions - https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions

#203962
May 14, 2019 16:12
Minesh Shah (Netcel)
Minesh Shah (Netcel)
Vote:
 

Yup they do Tom although Episerver do not allow access to this section as part of the Azure Access, thus recommending the approach in my original article and using rewrites. 

#203963
May 14, 2019 16:16
Tom Dickie
Tom Dickie
Vote:
 

Ahh I didn't realise you didn't have that access. I think if none of the configuration approaches work you may need to write some code to process the requests. I've done something similar in the past making use of the Application_BeginRequest to test the IP against a list of IPs defined in config and return a 404 if they don't match. 

#203993
May 15, 2019 16:06
Drew Dishman
Drew Dishman
Vote:
 

I'm having the same issue. What solution ended up being used for this?

#266523
Nov 10, 2021 19:37
Michael Clausing
Michael Clausing
Vote:
 

Any update on this? We used UrlRewrite for ipv4, but recently ran in to this issue with ipv6. Is the solution to let Optimizely manage it?

#269753
Jan 10, 2022 15:04
Paul McGann (Netcel)
Paul McGann (Netcel)
Vote:
 

Hi Michael,

I think the best way to do this is to add some custom middleware.

You can retireve the ip address from cloudflare and then parse this and compare against a safe list. There is example code here.

Thanks

Paul

#269942
Edited, Jan 13, 2022 13:37
Michael Clausing
Michael Clausing
Vote:
 

Paul,

Thanks for that. Is that a recent change for .net 5/6?

#270000
Jan 14, 2022 14:59
Mark Stott - Jan 14, 2022 15:56
Michael, Yes the middleware approach is a .NET 5/6 and .NET Core approach to handling that kind of issue. You'll need to be on CMS 12 for that.
Michael Clausing - Jan 14, 2022 16:43
Paul I had found some similar on another site. Just curious, do you know the performance impact using this example vs something like registering a global MVC filter that runs on every request?
Paul McGann (Netcel) - Jan 14, 2022 16:55
I don't believe there is any performance impact.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.