Web.Config to block entire website

Question

I have a login system in place at the moment to stop all non-authenticated users from viewing the content of my website. I can confirm the login works. The problem I am facing now however is with my web.config file. I am able to block a non validated user from viewing the main page (ie www.mysite.com) which would in turn load index.php. The user though can still go to www.mysite.com/index.php without logging in defeating the purpose of the login.

My web.config handles just the main page and any .aspx files I have in the root. Below is my web.config code. I've looked for a solution for a while now and havent found a way to make the web.config work for the entire site. Also, it is located in the root (and my site uses wordpress).

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>

    <compilation defaultLanguage="c#" debug="false" />
    <customErrors mode="Off" /> 
    <authentication mode="Forms"> 
        <forms
            name=".myCookie"
            loginUrl="http://www.mysite.com"
            domain="mysite.com"
            protection="All"
            timeout="120"
            path="/"
            requireSSL="false"
            slidingExpiration="true"
        />
    </authentication>

 <authorization>
          <allow roles="AA,BB" />
          <deny users="*" />
      </authorization>

    <machineKey
        validationKey="xxxxxxx"
        decryptionKey="xxxxxxx"
        validation="SHA1"
    />
    <sessionState mode="Off" /> 
</system.web>

<system.webServer>
<defaultDocument>
        <files>
            <add value="index.php" />
        </files>
    </defaultDocument>
<rewrite>
  <rules>
    <rule name="wordpress" patternSyntax="Wildcard">
        <match url="*" />
        <conditions>
            <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
            <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
        </conditions>
        <action type="Rewrite" url="index.php" />
    </rule>
</rules>
 </rewrite>
 </system.webServer>

</configuration>

Any help would be appreciated as i've spent quite a while on this and I feel like it should be a simple solution. Also I am running IIS 7.

Just to sum up my question, I need the web.config file to block access to all types of files (php,.txt, etc) instead of just the root URL and .aspx files.

Thank you

Answer 1

So as I commented it turns out that system.web is for iis6 and system.webServer is used for iis7 which is what I was running on. My authorization rules for system.web were correct and so any .net files were blocked as intended however due to the iis7 pipeline integration any other file extensions would not be affected. The solution to this I found from: http://blogs.msdn.com/b/rakkimk/archive/2007/11/28/iis7-making-forms-authentication-to-work-for-all-the-requests.aspx?Redirected=true

It has to do with the line preCondition=""

Answer 2

Normally unless you use the "location" tag security in a web.config would take effect for the entire site.

Here are snippets from mine; Notice that the loginURL is a specific page

<authentication mode="Forms">
  <forms loginUrl="~/public/Login.aspx" slidingExpiration="true" timeout="45" />
</authentication>
<authorization>
  <deny users="?"/>
</authorization>

the ? represents anonymous users In fact to get the css to work correctly you then have to add the following authorizing everyone to access those files:

<!-- Allow Anonymous Access to the Themes Folder -->
<location path="App_Themes" >
<system.web>
  <authorization>
    <allow users="*" />
  </authorization>
</system.web>
</location>