ISAPI filter to allow access only to hosts with selected IP addresses

This article describes an ISAPI filter to allow access only to hosts with IP addresses listed in an external datasource. This sample uses a file (ipaddressdb.txt) to keep track of authorized IP addresses, but you might modify this sample to access a database which holds IP address info.

For each URL request, the filter first looks in a cache of recently allowed addresses, and when that fails, it looks in the ipaddressdb.txt file. This shows an efficient way to authorize connections: a cache allows the filter to quickly allow or disallow access, and because each request comes in through the filter, speed is critical.

The project is a standard appwizard generated ISAPI filter. There are 4 parameters that can be changed to fine tune the filter: the maximum number of cached addresses, the position after which a cached entry will be moved to the front of the list (to make the search time shorter!), the name of the file that contains the IP address list and the name of the html file that indicates to the client that a host with its IP address is not allowed to access this server. All this parameters are #define directives in the IPAddressFilter.h header file.

The filter could be improved in several ways: using a database instead of a file for IP address information (you should consider using stored procedures to search and/or to cache!), load parameters from registry, automatic selection of the number of cached addresses and the list reorder parameter, etc.

The full source code is provided, you will have to compile it in order to get a working filter. Once you have compiled the project you will need to take the following steps to install:

  1. Run REGEDT32.EXE and modify the server's registry as follows. Select the Filter DLLs key in HKEY_LOCAL_MACHINE\CurrentControlSet\Services\W3SVC\Parameters. Add a local path to ipaddressfilter.dll, usually C:\WinNT\System32\InetSrv\ipaddressfilter.dll. The filter entries are separated by commas. The order is important, if you have other filters with the same priority, the first one listed will receive the requests first.
  2. Copy the ipaddressfilter.dll file to the directory you specified in the registry.
  3. Make sure the System account have execute rights on the filter dll file.
  4. Edit the ipaddressdb.txt file so it contains valid IP addresses. The format of the file is:
    127.*
    172.16.1.6
    172.16.5.*
    172.17.*

  5. Copy the ipaddressdb.txt file to the directory you specified in the IPAddressFilter.h header file for the IP address database.
  6. Copy the NoAccess.htm file to the directory you specified in the IPAddressFilter.h header file for the page to indicate that the access is denied for this IP address.
  7. Make sure the System account have read rights on the NoAccess.htm and ipaddressdb.txt files.
  8. Restart the WWW service.

Download Source Code


Last updated: 24 November 1998



Comments

  • About CHttpFilter::OnReadRawData

    Posted by Legacy on 12/03/2003 12:00am

    Originally posted by: tungpth

    I TRY TO USE THE METHOD:
    CHttpFilter::OnReadRawData

    to parsing the data from client.

    BUT THE FILTER IS NOT INSTALLED !!!

    what is wrong ???
    When RawData is changed, exp : content-length is changed, so server not accept.

    CHttpFilter::OnSendRawData is working !!!


    Reply
  • ISAPI filter

    Posted by Legacy on 12/03/1999 12:00am

    Originally posted by: wangwenchuan

    I need a filter,example:/aaa/aaa.html--->
    
    test

    Reply
Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • Hurricane Sandy was one of the most destructive natural disasters that the United States has ever experienced. Read this success story to learn how Datto protected its partners and their customers with proactive business continuity planning, heroic employee efforts, and the right mix of technology and support. With storm surges over 12 feet, winds that exceeded 90 mph, and a diameter spanning more than 900 miles, Sandy resulted in power outages to approximately 7.5 million people, and caused an estimated $50 …

  • Ever-increasing workloads and the challenge of containing costs leave companies conflicted by the need for increased processing capacity while limiting physical expansion. Migration to HP's new generation of increased-density rack-and-blade servers can address growing demands for compute capacity while reducing costly sprawl. Sponsored by: HP and Intel® Xeon® processors Intel, the Intel logo, and Xeon Inside are trademarks of Intel Corporation in the U.S. and/or other countries. HP is the sponsor …

Most Popular Programming Stories

More for Developers

Latest Developer Headlines

RSS Feeds