Web.config ipSecurity
The web.config file can be used to restrict website access, by the client IP address. Web.config can be used to restrict access to a single page, a directory and all sub directories, or even the entire web site. You can block all IP addresses and only let a few trusted IP addresses in, or you could allow everyone and block specific IP addresses or subnets.

While some web.config sections require that the containing directory is set as an application, this isn't one of them. A simple web.config with a ipSecurity section may be placed in any directory, and the directory does NOT need to be set as an application.

Purpose
IP address restrictions are used to restrict access based on the IP address of the client computer. IP address restrictions can be used to protect specific directories, or the entire web site. IP address restrictions can be used with two methods.
  • Allow all, but block specific IPs or networks
  • Deny all, but allow specific IPs or networks
How it's done
Example IP address restrictions. Comments are enclosed in <!-- --> and are not required.
  • Allow all, but block specific IPs or networks
    <security>
       <ipSecurity allowUnlisted="true">    <!-- this line allows everybody, except those listed below -->            
           <clear/>     <!-- removes all upstream restrictions -->                
           <add ipAddress="83.116.19.53"/>     <!-- blocks the specific IP of 83.116.19.53  -->                
           <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>     <!--blocks network 83.116.119.0 to 83.116.119.255-->                
           <add ipAddress="83.116.0.0" subnetMask="255.255.0.0"/>     <!--blocks network 83.116.0.0 to 83.116.255.255-->                
           <add ipAddress="83.0.0.0" subnetMask="255.0.0.0"/>     <!--blocks entire /8 network of 83.0.0.0 to 83.255.255.255-->                
       </ipSecurity>
    </security>
    

  • Deny all, but allow specific IPs or networks
    <security>
        <ipSecurity allowUnlisted="false">    <!-- this line blocks everybody, except those listed below -->                
            <clear/> <!-- removes all upstream restrictions -->
            <add ipAddress="127.0.0.1" allowed="true"/>    <!-- allow requests from the local machine -->
            <add ipAddress="83.116.19.53" allowed="true"/>   <!-- allow the specific IP of 83.116.19.53  -->                
            <add ipAddress="83.116.119.0" subnetMask="255.255.255.0" allowed="true"/>   <!--allow network 83.116.119.0 to 83.116.119.255-->                
            <add ipAddress="83.116.0.0" subnetMask="255.255.0.0" allowed="true"/>   <!--allow network 83.116.0.0 to 83.116.255.255-->                
            <add ipAddress="83.0.0.0" subnetMask="255.0.0.0" allowed="true"/>   <!--allow entire /8 network of 83.0.0.0 to 83.255.255.255-->                
        </ipSecurity>
    </security>
    

Using IP Address Restrictions
  • Use a text editor to create a file named web.config
  • Save the web.config file with the appropriate content
  • Place the web.config file in the directory that you wish to protect

Detailed web.config content
  • If there isn't an existing web.config in the directory, your new web.config should look something like this
    <?xml version="1.0"?>
    <configuration>
       <system.webServer>
          <security>
            <ipSecurity allowUnlisted="true">    <!-- this line blocks everybody, except those listed below -->                
               <clear/> <!-- removes all upstream restrictions -->
               <add ipAddress="83.116.19.53"/>   <!-- block one IP  -->                
               <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>   <!--block network 83.116.119.0 to 83.116.119.255-->               
            </ipSecurity>
          </security>
          <modules runAllManagedModulesForAllRequests="true"/>
       </system.webServer>
    </configuration>
    

  • If there is an existing web config, without a <system.webServer> section... Your new web.config should look like this
    <?xml version="1.0"?>
    <configuration>
       <system.web>
         .. existing text ..
         .. existing text ..
       </system.web>
       <system.webServer>
          <security>
            <ipSecurity allowUnlisted="true">    <!-- this line blocks everybody, except those listed below -->                
               <clear/> <!-- removes all upstream restrictions -->
               <add ipAddress="83.116.19.53"/>   <!-- block one IP  -->                
               <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>   <!--block network 83.116.119.0 to 83.116.119.255-->               
            </ipSecurity>
          </security>
          <modules runAllManagedModulesForAllRequests="true"/>
       </system.webServer>
    </configuration>
    

  • If your existing web.config already has a <system.webServer> section, just add the <security><ipSecurity> section
    <?xml version="1.0"?>
    <configuration>
       <system.web>
         .. existing text ..
         .. existing text ..
       </system.web>
       <system.webServer>
          <security>
            <ipSecurity allowUnlisted="true">    <!-- this line blocks everybody, except those listed below -->                
               <clear/> <!-- removes all upstream restrictions -->
               <add ipAddress="83.116.19.53"/>   <!-- block one IP  -->                
               <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>   <!--block network 83.116.119.0 to 83.116.119.255-->               
            </ipSecurity>
          </security>
          <modules runAllManagedModulesForAllRequests="true"/>
       </system.webServer>
    </configuration>