anybody knows of blocking certain users (by IP) from accessing your website (website on asp.net mvc).
EDIT:
I know that web-servers can do this as well, but I need this at the application level
It's better to do this in the web server.
However, if you want to do it in code, you can handle the Application.BeginRequest event, check Request.UserHostAddress, and call Response.End.
IIS allows you to specify IP-based block lists.
If you want to do it at the application level you can get the users IP from Request.UserHostAddress and then do a redirect to wherever you want them to go if their IP is in a list you have saved.
Related
I have a .NET a web app that i built for files processing .I am using IIS 7 anonymous user authentication , i also did not require the users to log in, so pretty much any user who has access to the intranet can access the web app.
The users said when two of them try to run their files on app at the same time they receive an error( did not specify it).
My question is :
If i use anonymous authentication is it by default every user will have his\her own session while accessing the app?
Yes, by default every user will have their own session. And anonymous authentication is the default scheme for the web. It is unlikely that any web server, by default, would only allow 1 anonymous user at a time.
Most likely, if your app is doing file processing, you may be dealing with file locks and not an issue with IIS. You want to make sure that your code is written so that, if two or more people access it simultaneously, they can not request to same file. Also, you need to make sure that you are properly closing any file streams you open, even in the case of exceptions. Without seeing the code in question, it would be difficult to impossible to give more specific guidance, but hopefully this will help point you in the correct direction.
Install Elmah to get error report of ypur app!
I've developed a RestService through C# that gets the petition in this way:
{server}/user/{action}
{server}/auth/{action}
...
I don't want people to access directly to the webservice, instead it's just the web server who has to access. I have successfully achieved this denying every IP except the webserver, but I realized now that there's a part of the site that should actually have public access.
EDIT: What I've done to deny every petition is the use of the feature "IPv4 Address and Domain Restrictions" from IIS, denying access to unspecified clients in the settings and finally adding just one allow entry to the ip I of the web server
So, what I want is to keep the actual behaviour, except for the case of pages like:
{server}/admin/{action}
How can I achieve this?
Thanks!
I have got a website, which i want to be opened from some specified IP addresses.
I know how to get ip address in asp.net, but i dont want this check to be perform on page init or in masterpage for again and again.
is it possible to do some settings in web.config or do some stuff with global.asax. so we can control that website to be opened from some specified ip address only and we need not to write the check for this again and again.
i am using express edition of vs2008 for web development
Thanks
EDIT:
I just wants to do it by code or using web.config or global.asax. (but i dont wants to write it on page init or masterpage). is it not possible to do some stuff with application_start in global.asax and redirect user to some other url or any other such idea which can me implemented by coder not by iis settings or other settings kind of stuff?
If you don't have access to IIS, one option would be to Write a whitelist HTTPModule. Scott hanselman posted a blacklist HTTPModule on his blog. It would be quite simple to modify this to provide whitelist functionality.
You can restrict access to IPs with IIS. Depending on the version of IIS it's slightly different, but look for Directory Security and denying/granting access.
Go to inetmgr >> right click on website >> property
Another approach is through defining ipsecurity section in the web.config
http://www.iis.net/configreference/system.webserver/security/ipsecurity
note: IP and Domain Restrictions is enabled on Azure WebSites
http://azure.microsoft.com/blog/2013/12/09/ip-and-domain-restrictions-for-windows-azure-web-sites/
I have an application that sends an email to a user so that they may access a web form. In the email there is just a link to the start page of this form. Currently, I have the value for the form location hardcoded. Once the app is deployed I know it is in inetpub/wwwroot/appName, which results in a URL of serverip:appPort/appName.
What is the C# to get the serverip:appPort portion of the URL that I need?
I think that server.mappath() might work, but for some reason I can't get to the method even though I have the necessary references.
Note: I will be deploying this application on several different servers and really just don't want to have to hardcode the IP every time I re-deploy.
Try
HttpContext.Current.Request.ServerVariables("HTTP_HOST"), this should give you the host name.
this link will show you how to get all the keys you (may) need to get the port and application (if you don't already have them).
http://msdn.microsoft.com/en-us/library/system.web.httprequest.servervariables.aspx
We are rolling out a site for a client using IIS tomorrow.
I am to take the site down to the general public (Sorry, we are updating message) and allow the client to test over the weekend after we perform the upgrade.
If it is successful, I open it to everbody - if not, I rollback.
What is the easiest way to put a "We're not open" sign for the general public, but leave the rest open to testers?
Redirect via IIS. Create a new website in IIS and put your "Sorry updating" message in the Default.aspx. Then switch ports between the real site (will go from 80, to something else (6666)) and the 'maintenance' site (set on 80).
Then tell your testers to go to yoursite.com:6666.
Then switch the real site back to 80 after taking down the 'maintenance' site.
I thought it would be worthwhile to mention ASP.NET 2.0+'s "app offline" feature. (Yes, I realize the questioner wants to leave the app up for testing, but I'm writing this for later readers who might come here with different needs).
If you really want to take the application offline for everyone (for instance to do server maintenance) there is a very simple option. All you have to do in ASP.NET 2.0 and higher is put a file with this name:
app_offline.htm
...in the root directory of your ASP.NET application. Put an appropriate "sorry come back later" message in there. That's it. The ASP.NET runtime does the rest.
Details on Scott Guthrie's blog.
Require that testers login. You can even hide the login page so that you need a direct link to even see it. Then, for all people not logged in, redirect to the page that displays your message.
Fire up another "site" in IIS which will catch your host-header for your primary site. Use either a custom 307/503/404 page that has "we're down for maintainance" or use some sort of URL-rewrite to redirect people to your single static file.
switch host-header-binding on your real site to something else, like dev.domain.com or testing.domain.com that your developers use.
Or, block by IP, and have your custom "Not authorized" page tell visitors that your down to maintainance.
You have several options.
Some methods that I've used before:
Windows authentication and/or separate subdomains for client to test.
Disable anonymous website access in IIS and give your client a username/password combo to test the website.
Disable default document in IIS and give your client an absolute URL to the main index file.
We tend to have a log in page and an include file across all pages in the site (usually the DB Connection as it's included in all files) that checks for a valid logged in session. If you've not logged in you get a message saying the site's down for maintainance