How to verify IP blocking using URL rewrites

  • Updated
Description

In DxC it is popular to block off IPs so only certain IP addresses can access a particular site. These rewrites can be difficult to troubleshoot in DxC because it can be difficult to test with a particular IP. Below is a way to spoof an IP so that it can be tested against the restrictions. It is generally easier to try this locally before attempting to spoof in DxC. 

Steps
  1. Follow the DxC documentation for blocking IPs.
  2. Add the bolded section to the rule.
    <rewrite>
     <rules>
      <rule name="Spoof incoming IP address"
            patternSyntax="Wildcard" stopProcessing="false">
          <match url="*" />
          <action type="None" />
          <serverVariables>
    <!-- The IP you want to spoof here -->
        <set name="HTTP_True_Client_IP" value="192.168.1.5" />
          </serverVariables>
      </rule>
      <rule name="Block unauthorized traffic" stopProcessing="true">
          <match url=".*" />
          <conditions>
    <!-- IPs you want to allow here -->
        <add input="{HTTP_True_Client_IP}" pattern="192.168.1.5" negate="true" />
          </conditions>
          <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Site is blocked due to IP restrictions" />
      </rule>
     </rules>
    </rewrite>
  3. Test to see if the IP succeeds or fails. In the above case no error should occur.

This could also be tried with X_Forwarded_For or REMOTE_ADDR. You can replace HTTP_True_Client_IP with HTTP_REMOTE_ADDR or HTTP_X_Forwarded_For.