How to deny IP for a specific url from IIS when you have a rewrite url with path (.*)?

Question

I would like to block (or allow) some ip from site in IIS for a specific URL. Actually I have that rule in my web.config for a rewrite url:

<rule name="FOO_RULE" stopProcessing="true">
   <match url="foo/(.*)" ignoreCase="false" />
   <action type="Rewrite" url="http://pippo.it/{R:0}" logRewrittenUrl="true" />
</rule>

This rule work properly for all IP caller and this is OK.

Now, I need the same rule with blocking some IP for a specific path. The problem is that path start with "foo/" (example "foo/rest/API/getName") and IIS will work for only FOO_RULE.

I've tryied to:

1. Created a new rule for only that path ("foo/rest/API/getName") EXCEPTION_FOO_PATH in the same web.config of my site, with restrict for some IP like that:

<rules>
   <rule name="FOO_RULE" stopProcessing="true">
      <match url="foo/(.*)" ignoreCase="false" />
      <action type="Rewrite" url="http://pippo.it/{R:0}" logRewrittenUrl="true" />
      <conditions>
         <add input="{REQUEST_URI}" pattern="foo/rest/API/getName" negate="true" />
      </conditions>
   </rule>
   <rule name="EXCEPTION_FOO_PATH">
      <match url="foo/rest/API/getName" />
      <conditions>
         <add input="{REMOTE_ADDR}" pattern="111.222.333.444" negate="true" />
      </conditions>
      <action type="Rewrite" url="http://pippo.it/{R:0}" logRewrittenUrl="true" />
   </rule>
</rules>

and this not working (same if I comment the condition in FOO_RULE);

2. Created an application inside main site of IIS with a rule for "foo/rest/API/getName" (generated a new web.config) and added restrict for some IP (from plugin IIS) but, still not working;

The concept is that not destroying the original FOO_RULE

Anyone have any idea? Thank you in advance!

Answer 1

You can reverse the two rules, delete the condition in the "FOO_RULE" and block request in "EXCEPTION_FOO_PATH" (look at logicalgrouping="MatchAny"):

<rules>
   <rule name="EXCEPTION_FOO_PATH" stopProcessing="true">
      <match url="foo/rest/API/getName" />
      <conditions logicalGrouping="MatchAny">
         <add input="{REMOTE_ADDR}" pattern="111.222.333.444" />
         <add input="{HTTP_X_Forwarded_For}" pattern="111.222.333.444" />
      </conditions>
      <action type="AbortRequest" />
   </rule>
   <rule name="FOO_RULE" stopProcessing="true">
      <match url="foo/(.*)" ignoreCase="false" />
      <action type="Rewrite" url="http://pippo.it/{R:0}" logRewrittenUrl="true" />
   </rule>
</rules>

So the first rule apply first:

• if url is "foo/rest/API/getName" AND ip is "111.222.333.444" -> Abort request.
• In all the other cases the second rule "FOO_RULE" apply and the url is rewrite in "http://pippo.it/{R:0}"

Answer 2

You can try similar to the following rules to achieve your requirement, in the Add Condition dialog, specify {REMOTE_ADDR} as the Condition input.

<rule name="block IP" stopProcessing="true">
    <match url="(.*)" />
        <conditions>
           <add input="{URL}" pattern=" " />
           <add input="{REMOTE_ADDR}" pattern="xxx.xxx.xxx.xxx" />
        </conditions>
        <action type="CustomResponse" statusCode="401" statusReason="permission required" statusDescription="Access is denied due to invalid credentials." />
</rule>