I have an ASP.NET application that's made up of several .aspx pages. I want one of those .aspx pages to be accessible by only a certain set of IPs. Is this possible?
I know you can IP whitelist at the website level, but can you IP whitelist for a single URL in an application?
You can always check Request.ServerVariables["REMOTE_HOST"] against your own white list within your app.
Unfortunately, I'm pretty sure you can't do it for a single page via IIS (seek Serverfault.com for more details if you want verification), but if you wanted to do it programmatically, you could hook Application_BeginRequest in your global.asax file. Check the request URL and the request IP address against your restrictions, and only allow the request to continue if they pass.
The following resource demonstrates how to detect the client IP in ASP.NET:
http://bytes.com/topic/asp-classic/answers/439176-how-get-clients-ip-address-asp-net
Once you have the IP, load your whitelist from the storage mechanism of your choice, perhaps during an Init event (if in a page), and if the IP fails to match, respond like so (Use HttpContext.Current.Response if not in a page:
if (!mySafeIpList.Contains(clientIP))
{
Response.Clear()
Response.StatusCode = (int)HttpStatusCode.Unauthorized
Response.End()
}
Or, just simply redirect to a valid page:
Response.Redirect("~/Head-Fake.aspx")
I hope this helps.