I'm trying to restrict access to one of my websites so that it only accepts connections from Cloudflare's IP addresses. I've unlocked the IP and Domain Restrictions feature at the server level, allowing me to quickly paste the necessary IPs into the web.config file, which is a lot easier than using the IIS interface. However, I don't want to leave this feature unlocked permanently. When I try to lock it again, the site throws a 503 error, indicating that having entries in the web.config file isn't allowed. I'm unsure whether I should keep the feature unlocked or remove the entries from the web.config and manage everything through the IIS interface instead. Also, I noticed the entries aren't appearing in the applicationHost.config file. Is there another location I should check for these settings?
2 Answers
If you added IPs through the UI, they should reflect in applicationHost.config. You can also just move those to your site's web.config. However, seriously, having your IIS/Windows server exposed to the internet without a firewall is a big risk. It’s full of vulnerabilities and there are constant bots scanning for them. I'd highly recommend setting up a firewall as the first line of defense.
You're definitely not alone in finding this IIS behavior confusing! When you unlock IP restrictions at the server level, you're allowing overrides in the web.config. But if you relock it, IIS will see the web.config entries as unauthorized, hence the 503 error. To manage IP restrictions via web.config effectively, you should leave that feature unlocked for your site. Alternatively, you could handle IP filtering in the applicationHost.config or via PowerShell, which keeps your web.config safe. Also, entries added in web.config won't show up in applicationHost.config since that file only reflects server-level settings applied through IIS Manager or scripts. If you need help scaling or securing this setup, feel free to reach out!
Actually, I ran into a new problem with IP restrictions. My JavaScript calls to "/folder1/program1.php" keep resulting in a 403 error. Even adding the server's own IP to the whitelist doesn’t fix it!