How to whitelist headers in IIS filtering?

Question

We're looking at deploying CloudFlare as a WAF for our site. One of the requirements is that we restrict access to the site from outside North America. Fortunately, CloudFlare supports GeoLocation, and stamps requests to the origin server with a location header.

Now, however, I need to figure out how to whitelist countries. Ideally, I'd like to specify CA and US or whatever as permissible values, and reject everything else, but in IIS, it seems to only support blacklisting.

Is there a way to do this in IIS alone, or does anyone know of a third part module that does this?

score 1 · Accepted Answer · edited Oct 20 '16 at 23:00

You could use the IIS Rewrite Module.

Use a rule to match all URLs and use a condition to check for the http header injected by CloudFlare, check for the country value and reject all requests not from the US or Canada.

A sample rule would be something like this:

<rewrite>
    <rules>
        <rule name="RequestBlockingRule1" stopProcessing="true">
            <match url=".*" />
            <conditions>
                <add input="{HTTP_CF_IPCOUNTRY}" pattern="^CA|US$" negate="true" />
            </conditions>
            <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="Using this site from your location is not supported." />
        </rule>
    </rules>
</rewrite>

CF-IPCountry would be the name of the header injected by CloudFlare.

This was very close! The header is actually `CF-IPCountry`, so the input had to be `HTTP_CF_IPCOUNTRY`. Other than that, this seems to work great! — Mike Caron, Oct 20 '16 at 19:22

How to whitelist headers in IIS filtering?

1 Answers1