According to these docs, IIS should allow IP address restrictions to be made based on the x-forwarded-for
address seen by IIS if it is behind a proxy if enableProxyMode
is set to true. I have edited the feature settings to enable proxy mode, and added an "Allow" entry for our proxy's IP address.
My issue is that I am still getting a deny with 403 forbidden when I attempt to connect. It is worth noting that I am configuring this on only one of the applications of a specific website. IIS version is 8.0.x. I tested after full IIS reset and verifying the applicationHost.config:
<location path="mysite.com/myapp">
<system.webServer>
<security>
<ipSecurity allowUnlisted="false" enableProxyMode="true">
<add ipAddress="my proxy ip..." allowed="true" />
</ipSecurity>
</security>
</system.webServer>
</location>
Both your IP and your
x-forwarded-for
IP(s) must be allowed entries for the request to be allowed.With "Proxy Mode" on, the server first checks that the presented IP (the proxy's IP) is allowed. If so, it then gets the last
x-forwarded-for
IP and checks if that is allowed, and recurses up the list ofx-forwarded-for
IPs and checks each for being allowed. All must be allowed, or the request is blocked.If the proxy IP is not allowed, then the request is blocked, and the
x-forwarded-for
doesn't get considered at all; you have to trust the source of the request to try and trust what is in the request.It's explained in longer form (and better terminology) in this Wade Hilmo post on IIS.net.