Secure a specific page by client IP behind AWS Elastic Load Balancer

Question

I have an application which sits on Amazon EC2, behind an Elastic Load Balancer. There is a specific URL on the server, which only a specified list of IP addresses are allowed to post to.

I've added the following to my Web.config:

<location allowOverride="false" path="mysecureurl">
<system.webServer>
  <security>
    <ipSecurity allowUnlisted="false">
      <add allowed="true" ipAddress="111.111.111.111" />
    </ipSecurity>
  </security>
</system.webServer>
</location>

When I post directly from the allowed IP address, to the IP address of the server, it works correctly.

When I post from the allowed IP address, via the load balancer, it fails (403: FORBIDDEN). I'm assuming that IIS is seeing the internal IP address for my load balancer, not the one for my client.

Is there any way to get this to work?

Answer 1

You might eventually be able to do what you want, by following @datasage's answer. But it is not secure. There is not a reliable/secure way to determine a client IP address on the application layer. Restricting access based on an IP address on the application layer is also a bad practice. Please see this answer for (not much) more information.

Answer 2

The client IP is actually being passed via header (X-Forwarded-For). This header may include other load balancer IPs in addition to the client IP.

If you can configure filtering based on headers, you should be able to do what you are attempting to do.