Enabling IIS8 dynamic IP restriction modules in Windows Azure
Source: Internet
Author: User
KeywordsAZUREAZUREIIS8 dynamic IP restricted module
We have recently upgraded our Windows http://www.aliyun.com/zixun/aggregation/13357.html >azure Web site and enabled the IIS8 Dynamic IP restriction module. Now, developers can enable and configure Dynamic IP throttling (or DIPR) for their web sites.
You can view a complete overview of this IIS8 feature through the following links:
The DIPR feature provides two types of protection for developers:
blocks IP addresses from the number of requests for a period of time based on the number of concurrent requests
In addition, developers can configure DIPR behavior, such as the type of HTTP status code that is sent back for blocked requests.
In the Azure Web site, developers can configure DIPR using the configuration section that is added to the Web.config file, which is located in the root folder of the Web site.
If you want to block connections based on the number of concurrent requests (that is, the number of active requests being issued at any time), add the following configuration segment to the Web.config file for that Web site.
If the Enabled property is set to true in the denybyconcurrentrequests element, when the maximum number of concurrent requests exceeds the value set in the Maxconcurrentrequests property (set to 10 in the preceding example), IIS The request to block the IP address is automatically started.
On the other hand, if you want to block connections based on the total number of requests issued within a particular time window, you can use the following configuration segments:
In the preceding example, if the Enabled property is set to true in the denybyrequestrate element, IIS is instructed to define the time window in Requestintervalinmilliseconds (in this example, set to 2000 milliseconds) to block requests for this IP address when the total number of requests observed exceeds the value set in the Maxrequests property (set to 10 in this example). Therefore, clients that issue more than 10 requests within a 2-second time period will be blocked.
Finally, developers can also choose to enable both of these blocking mechanisms. The following code snippet can either instruct the DIPR to block clients with more than 10 concurrent requests, or instruct DIPR to block a total of 20 requests from clients in a 5-second window:
After DIPR blocks an IP address, the address remains blocked until the current time window is finished, and the IP address is again able to make a request to the Web site. For example, if Requestintervalinmilliseconds is set to 5000 (5 seconds) and an IP address is blocked at a 2-second tick, the address remains blocked for 3 seconds (that is, the time remaining in the current window).
Developers can customize the errors that are returned when the client is blocked by configuring the Denyaction property of the dynamicipsecurity element itself. The allowable values for denyaction include:
Abortrequest (return HTTP status code 0) unauthorized (return HTTP status code 401) Forbidden (return HTTP status code 403). Note that this is the default setting. NotFound (return HTTP status code 404)
For example, if you are sending a 404 status code instead of sending the default code (that is, Forbidden 403), you can use the following configuration:
Here, we have this question: what IP address do DIPR see when running on an Azure Web site? Running in Windows Azure means that the WEB application is using a variety of load balancers. That is, the client IP address that is presented to the Web site may be the address of the upstream load balancer, not the actual client on the Internet. However, the Azure Web site will automatically perform the necessary transformations for you to ensure that the client IP address that the DIPR module "sees" is the actual IP address of the Internet client that issued the HTTP request.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.