-1

In IIS I'm trying to setup a regular expression for the URL Rewrite module that will allow a certain an IP Range to access it, however I'm struggling on getting a regular expression to accurately work. IP addresses obviously can be multiple charters so this is what can make it hard I feel. An Example is below:

IP Value to Match:

12.345.678.198

The below will obviously match the 1st 3 sections as they are static, but I want to match the last 3 and this is the simplest way to demo what I want, but clearly will not work:

12\.345\.678.[193-254]

I've tried:

12\.345\.678.[1-2][5-9][3-4]

But that will obviously not match the last digit of 8 as it is outside of the range of [3-4]. If I did

12\.345\.678.[1-2][0-9][0-9]

This would match an IP of 12.345.678.269 and that is outside of the range that I would require. Is this even possible with regex or is there a different better way to limit IP addresses in IIS from connecting to a certain site hosted with in that?

Many thanks in advance

Adam Lacey
  • 83
  • 1
  • 9

2 Answers2

1

Try the following regex:

12\.345\.678\.(?:19[0-9]|2[0-4][0-9]|25[0-4])

By the way, you do realize that IP address segments values are between 0 and 255...

[Edit] Correction:

12\.345\.678\.(?:19[3-9]|2[0-4][0-9]|25[0-4])
Uri Y
  • 830
  • 4
  • 11
  • unfortunately that also picks up 12.345.678.192 which isn't correct, but it's a good example – Adam Lacey Nov 07 '17 at 13:04
  • That's the one, many thanks for this. Can I ask what the (?: at the start of the final ip section does please? – Adam Lacey Nov 07 '17 at 13:10
  • the ?: means it is a non-capturing group, it will not create a match group. – Uri Y Nov 07 '17 at 13:17
  • @Adam Lacey [What is a non-capturing group? What does a question mark followed by a colon (?:) mean?](https://stackoverflow.com/q/3512471/3302347) – mmm Nov 07 '17 at 13:19
  • You should read about regex syntax. https://www.regular-expressions.info/refcapture.html – Uri Y Nov 07 '17 at 13:22
0

To provide the answer that works for me @mmm in my comments said that this regex would work below, which it does:

^12.345.678.(?:(?:1[9][3-9])|(?:[2][0-4][0-9])|(?:[2][5][0-4]))$

I also discovered that what I was trying to be achieve could have been done via "IP Address and Domain Restrictions" in IIS it self, HOWEVER as our servers are behind a load balancer that is configured for SSL offloading so this did not work for me for that reason, so the Regex via the URL Rewrite Module built in to in IIS8 was the answer.

For it to successfully work, at the bottom of the web.config I had to write it like:

 <system.webServer>
   <rewrite>
     <rules>
        <rule name="Force Https" stopProcessing="true"><match url="(.*)" /><conditions><add input="{HTTP_X_FORWARDED_PROTO}" pattern="https" negate="true" /><add input="{REMOTE_ADDR}" pattern="172.23.63.10" /></conditions><action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" /></rule>
        <rule name="RequestBlockingRule1" stopProcessing="true">
            <match url=".*" />
            <conditions>
                <add input="{HTTP_X_FORWARDED_FOR}" pattern="^12\.345\.678\.(?:(?:[1][9][3-9])|(?:[2][0-4][0-9])|(?:[2][5][0-4]))$" negate="true" />
            </conditions>
            <action type="CustomResponse" statusCode="403" />
         </rule>
     </rules>
   </rewrite>
 </system.webServer>
</configuration>

{HTTP_X_FORWARDED_PROTO} is what provided the real IPAddress to allow the restriction on as it's been offloaded by the load balancer so IIs would only see the load balancers IP and not the external one.

However it would be nice to have the (?:(?: part explained to me please.

Adam Lacey
  • 83
  • 1
  • 9