Hi,
I have a problem or a misunderstanding about IP and Domain Name Restrictions on IIS8.5 with proxy mode activated.
First, my wish is to protect an application inside my website from being accessed from external and to allow it only from internal network.
To access this application we attack url like My.website.com/myapp from internal and external network.
For the both cases; we access it through a NGINX reverse proxy. This is why i must activate the proxy mode to interpret the real IP address (x-forwarded-for).
When i look at the logs ( i've activated advanced logs with X-forwarded-for logged), I see that our intern requests are coming with our outgoing public adress (x.y.z.40) and external requests appears with their real public adress.
So, i wanted to set for "myapp", Ip & domain name restrictions with "Deny" setting for "access for unspecified clients" and I enabled "proxy Mode".
And then, I add an "allow entry" for my x.y.z.40 outgoing public IP Address.
-->It doesn't work. External and internal requests are all refused by IIS.It should allow my internal requests as they come as "x.y.z.40"
To troubleshoot the behaviour i tested the exact opposite situation:I allow unspecified clients and I add an Deny Entry for x.y.z.40 outgoing public IP Address.
-->It's working as expected : Internal requests are denied (normal) external requests are allowed.
Conclusion : it seems that the "proxy mode" setting is working properly only if the default rule is "allow for unspecified clients".
Does anybody already have implemented this functions to work as "deny for all" and allow specific addresses behind a proxy (with proxy mode activated).
Thanks,
Hervé