views:

2478

answers:

2

For an ASP.NET C# application, we will need to restrict access based on IP address.

Edit:

I liked @Mitch Wheat's answer.
Will use this in our implementation.
Thanks.

+5  A: 

Here is an article from Microsoft on how to do this.


Setting Folder Security by IP Address or Domain Name

Apache uses the Allow and Deny directives to determine the sites that can access a particular Web site or folder. However, Apache provides discretionary access control; you must either deny all sites and provide a specific list of sites or IP addresses that can access a folder or allow all sites and deny only those sites that you do not want to have access. For example, if you use the following directive, all client computers are denied access unless they are recognized as part of the domain.com domain:

Deny from all
Allow from .domain.com

IIS works the same way. All clients are specifically denied or granted access, except for those that are listed.

Define Access Control for Specific Folder or Site

  • Log on to the Web server computer as an administrator.
  • Click Start, point to Settings, and then click Control Panel.
  • Double-click Administrative Tools, and then double click Internet Services Manager.
  • If you want to limit access for the whole site, select the Web site from the list of different served sites in the left pane.

  • If you want to limit access only for a specific folder, click the folder you want to control.

  • Right-click the Web site or folder, and then click Properties.
  • Click the Directory Security panel.
  • If you want to limit access to a specific set of sites but deny access to all other sites, click Denied Access.
  • If you want to grant access to all clients by default but exclude a specific list of clients, click Granted Access.
  • To update the list of hosts or domains in the Except list, click Add.
  • To add a single computer to the list, click Single computer, type the IP address in the appropriate box, and then click OK.
  • To add a range of computers in a specific address range, click Group of computers, type the IP address for the network in the appropriate box, type the subnet mask for the network range you want to configure, and then click OK.
  • To add computers by their identified domain name, click Domain name, and then type the domain name in the appropriate box.
  • Click Properties, type the domain name, and then click OK.
  • Click OK, and then click OK.

NOTE: If you use domain name restrictions, the server has to perform a reverse DNS lookup for each request to check the host's registered domain name. Microsoft recommends that you use an IP address or network range whenever you can.

Tom Anderson
This is nice and easy if you have a small list of static addresses to block or allow. If you need something programmatic, try @Mitch Wheat's answer. +1
Michael Haren
this method also allows you to add ip ranges, which is nice as well.
Tom Anderson
Thanks this was useful +1
Kb
+7  A: 

One way is using a HttpModule.

Mitch Wheat
This is a nice approach, especially if you add a config section handler for the allowed ip addresses
Tom Anderson
Nice example. +1
Michael Haren