I'm trying to restrict access to one of my websites so that it only accepts connections from Cloudflare IP addresses. To make the process quicker, I unlocked the relevant feature at the server level and directly pasted the IP addresses into the web.config file instead of using the IIS interface. However, I'm not sure if I should leave this feature unlocked or if I should remove the entries from web.config and just use the IIS interface instead. When I try to lock the feature again, I encounter a 503 error because it says the entries in web.config are unauthorized overrides. I also noticed I can't find the entries in applicationHost.config, which makes me wonder if there's another file I should be checking.
4 Answers
I hear you on the confusion around this setup. It's important to remember that the entries from web.config aren’t going to show in applicationHost.config since that file only reflects the parameters set directly through IIS Manager. Your approach to toggle the settings can definitely lead to 503 errors, so if you want to stick with the config file routes, keeping it unlocked might be your best bet.
Honestly, while IIS does allow for IP restrictions, it's not the best tool for the job if you're concerned about security. Instead, I'd recommend using a firewall and setting up custom routes to handle your IP restrictions. It keeps IIS out of the equation, which is a plus. Plus, if you do expose IIS to the open internet, you're opening yourself up to a variety of vulnerabilities. So definitely consider putting a firewall in front of it to enhance security.
You're definitely not alone; dealing with IIS and IP restrictions through web.config can be quite tricky. When you unlock the IP and Domain Restrictions at the server level, it allows site-level configurations in web.config to manage that feature. However, if you lock it again after making changes, IIS throws a 503 error because it sees those web.config entries as unauthorized overrides. To manage IP restrictions via web.config without getting the error, you need to leave that feature unlocked for your site. Alternatively, for a more centralized approach, consider managing IP filtering in applicationHost.config or through PowerShell scripts. And yes, if you only add entries in web.config, they won’t show up in applicationHost.config.
When I added IP addresses through the IIS UI, they were placed directly into applicationHost.config. If you're looking to manage this effectively, just move your entries to the site-level web.config instead. Just keep in mind that having your IIS/Windows server publicly accessible isn't ideal without a proper firewall in place.
Well, I've run into a newer issue. Even with IP restrictions set up, JavaScript calls to "/folder1/program1.php" return a 403 error. I tried whitelisting the server's own IP address, but that didn't help.