Vulnerability in EPiServer.Forms
A client has given me an IPv6 to add into the restrictions sections of the web.config
For all Ipv4 we have followed this article : https://world.episerver.com/digital-experience-cloud-service/dxc-security/restricting-environment-access/
How can i add an IPv6 to this
Thanks in advance
Rather than using url rewrite to restrict access to the sites, you could maybe make use of the ipSecurity configuration element.
My understanding is that although the documentation suggests it only supports IPv4, IPv6 addresses can be used too - https://blogs.iis.net/nazim/using-ipv6-with-iis7
<add ipAddress="10.199.199.199" allowed="true" />
<add ipAddress="188.8.131.52" subnetMask="255.255.0.0" allowed="true" />
<add ipAddress="2001:4898:2a:5:c4ad:9291:22b1:c870" subnetMask="ffff:ffff::" allowed="true" />
If the above doesn't work for you, you could always add some custom logic into Application_BeginRequest to test the IPs and return the response you require.
Thank you Tom, I was unfamiliar with this approach it defintly looks a lot neater and can use CIDR by the looks of it. :)
Edit: I dont believe this will work on an Azure Web App
I believe Azure web apps have their own restrictions - https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions
Yup they do Tom although Episerver do not allow access to this section as part of the Azure Access, thus recommending the approach in my original article and using rewrites.
Ahh I didn't realise you didn't have that access. I think if none of the configuration approaches work you may need to write some code to process the requests. I've done something similar in the past making use of the Application_BeginRequest to test the IP against a list of IPs defined in config and return a 404 if they don't match.
I'm having the same issue. What solution ended up being used for this?
Any update on this? We used UrlRewrite for ipv4, but recently ran in to this issue with ipv6. Is the solution to let Optimizely manage it?
I think the best way to do this is to add some custom middleware.
You can retireve the ip address from cloudflare and then parse this and compare against a safe list. There is example code here.
Thanks for that. Is that a recent change for .net 5/6?