Only allows requests from a specified set of IPs. Useful when a site is under development or maintenance.
Whitelist IP Addresses
To only allow requests to a list of whitelisted IPs, first add the following rule to web.config’s <rewriteMaps> section (create the rewriteMaps key if it doesn’t exist):
<system.webServer>
<rewrite>
<rewriteMaps>
<rewriteMap name="Whitelist">
<add key="127.0.0.1" value="1" />
<add key="192.168.1.15" value="1" />
</rewriteMap>
</rewriteMaps>
</rewrite>
</system.webServer>
Then add the following to your web.config’s <rules> section:
<system.webServer>
<rewrite>
<rules>
<rule name="Only allow whitelisted IPs">
<match url=".*" />
<conditions>
<add input="{Whitelist:{REMOTE_ADDR}}" matchType="Pattern" pattern="1" negate="true" />
</conditions>
<action type="Redirect" url="https://www.example.com/404.html" appendQueryString="false" />
</rule>
</rules>
</rewrite>
</system.webServer>
For clarity, this is how the web.config would reflect these additions:
<system.webServer>
<rewrite>
<rewriteMaps>
<rewriteMap name="Whitelist">
<add key="127.0.0.1" value="1" />
<add key="192.168.1.15" value="1" />
</rewriteMap>
</rewriteMaps>
<rules>
<rule name="Only allow whitelisted IPs">
<match url=".*" />
<conditions>
<add input="{Whitelist:{REMOTE_ADDR}}" matchType="Pattern" pattern="1" negate="true" />
</conditions>
<action type="Redirect" url="https://www.example.com/404.html" appendQueryString="false" />
</rule>
</rules>
</rewrite>
</system.webServer>
This would allow requests from the IPs 127.0.0.1 and 192.168.1.15 while redirecting all requests from any other IP to the 404.html page.
Blacklist IP Addresses
To prevent requests from a list of blacklisted IPs, first add the following rule to web.config’s <rewriteMaps> section (create the rewriteMaps key if it doesn’t exist):
<system.webServer>
<rewrite>
<rewriteMaps>
<rewriteMap name="Blacklist">
<add key="103.22.66.175" value="1" />
</rewriteMap>
</rewriteMaps>
</rewrite>
</system.webServer>
Then add the following to your web.config’s <rules> section:
<system.webServer>
<rewrite>
<rules>
<rule name="Reject blacklisted IPs">
<match url=".*" />
<conditions>
<add input="{Blacklist:{REMOTE_ADDR}}" matchType="Pattern" pattern="1" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" />
</rule>
</rules>
</rewrite>
</system.webServer>
For clarity, this is how the web.config would reflect these additions:
<system.webServer>
<rewrite>
<rewriteMaps>
<rewriteMap name="Blacklist">
<add key="103.22.66.175" value="1" />
</rewriteMap>
</rewriteMaps>
<rules>
<rule name="Reject blacklisted IPs">
<match url=".*" />
<conditions>
<add input="{Blacklist:{REMOTE_ADDR}}" matchType="Pattern" pattern="1" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" />
</rule>
</rules>
</rewrite>
</system.webServer>
This would prevent requests from the IP 103.22.66.175 by returning a 403 Forbidden response. Requests from all other IPs are allowed.
Behind a Proxy?
If the web server is behind a proxy, you will most likely want/need to replace instances of {REMOTE_ADDR} in the configurations above with {HTTP_X_FORWARDED_FOR}, which will use the value of the original requesting IP address (equivalent to REMOTE_ADDR when not proxied) rather than the internal IP used by the proxy.
In More Detail
Blacklisting by IP is probably the oldest way to blacklist, and works very well for denying access to site scrapers, trolls, and other malicious visitors.
While IP blacklisting can be circumvented by using a different computer with a different IP address, a tunneling VPN service, or a proxy server or network, a vast majority of the malicious requests made are done so by lazy or relatively uninformed individuals who use the same machine and have little sophistication in how they operate. IP blacklisting is a simple way to take advantage of their laziness, and causes no harm by adding these rules.