Tag Archives: security;cloud;IIS

IP filtering in IIS running in the Amazon cloud

You can setup highly scalable webservices very easily in the Amazon EC2 cloud: just create two new virtual machines, connect them to a load balancer and you’re done! The dark clouds will begin to gather over your head, when you realize that the carefully setup IP filtering does not work in IIS, and anyone can access your website.

The problem is that the IIS running in the virtual machine sees the load balancer as the client, and not the original browser. (Obviously, IP filtering would work perfectly for that internal address, but I’m pretty sure you don’t need that.) If you don’t believe me, check your IIS log files.

Thankfully Amazon load balancers support the Proxy protocol which forwards the IP address of the real client in the X-Forwarded-For HTTP request header. By default IIS doesn’t log the value of this field, but you can add it to your logs with a few clicks:

iis-proxy-logging

The second good news is that you can configure IIS to use the X-Forwarded-For header for IP filtering. In IIS 7 you can do this with the Dynamic IP Restriction module, and from IIS 8 you can get this functionality built into the IP Address and Domain Restrictions module. It is not enabled by default, but you can activate it with a single click:

iis-proxy-mode

 

Technorati-címkék: ,,
Advertisements