Hi,
Let me start by saying that I am not a web expert in any sense and I need some clarification on a web.config configuration/locking problem that I am having in order to persude my hosting company that the restriction is on the server and not in my web.config file.
Also, as this is my first post here, please excuse me if I don't get this quite right.
I have a hosted web service running IIS 7.5 & Parallels Plesk Panel on a Windows Server, I'm not sure what version. I have deployed a WordPress webiste and all is working fine. Someone attempted to brute force their way into my site last week but failed. With this in mind I wanted to add additional protection to the administration areas of the WordPress system. To do this I looked at adding IP address restrictions to my web.config file only now I get an http 500.19 error.
Having raised this with the hosting company they are suggesting that the error is to do with a problem within the web.config file itself. I am 90% happy that the file is correct but would like a little expert verification if possible before I go back to them again.
This is my web.config file.
<?xml version="1.0" encoding="UTF-8"?><configuration><system.webServer><rewrite><rules><rule name="WordPress Rule" stopProcessing="true"><match url=".*" /><conditions><add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" /><add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" /></conditions><action type="Rewrite" url="index.php?page_id={R:0}" /></rule></rules></rewrite><httpErrors errorMode="Detailed" /><security><ipSecurity allowUnlisted="true"> <!-- this line allows everybody, except those listed below --> <clear/> <!-- removes all upstream restrictions --><add ipAddress="1.2.3.4"/> <!-- block one IP --> <!-- <add ipAddress="1.2.3.0" subnetMask="255.255.255.0"/> block network 1.2.3.0 to 1.2.3.255 --><!-- <add ipAddress="1.2.0.0" subnetMask="255.255.0.0"/> block network 1.2.0.0 to 1.2.255.255 --> <!-- <add ipAddress="1.0.0.0" subnetMask="255.0.0.0"/> block network 1.0.0.0 to 1.255.255.255 --></ipSecurity></security><modules runAllManagedModulesForAllRequests="true"/></system.webServer><system.web><customErrors defaultRedirect="http://www.[redacted].com" mode="On" /></system.web></configuration>Since updating the web.config file I now get the error with the following information
The requested page cannot be accessed because the related configuration data for the page is invalid. Module: IpRestrictionModule Notification: BeginRequest Handler: StaticFile Error Code: 0x80070021 Config Error: This configuration section cannot be used at this path. This happens when the section is locked
at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly
by a location tag with overrideMode="Deny" or the legacy allowOverride="false" Config File: \\? \\C:\Inetpub\vhosts\[redacted].com\httpdocs\web.config Requested URL: http://[redacted].com:80/ Phisical Path: C:\Inetpub\vhosts\[redacted].com\httpdocs Logon Method: Not Yet Determined Logon User: Not Yet Determined Config Source: 17: <security> 18: <ipSecurity allowUnlisted="true"> <!-- this line allows everybody, except those listed below --> 19: <clear /> <!-- removes all upstream restrictions -->
In the Config Source section of the error page line 18: is highlighted.
From the limited research I have been able to do and with the limited knowledge of IIS I have it is my understanding that there is a restriction within the IIS settings that is preventing me from using the <ipsecurity> configuration section. My hosting company is insisting that the problem lies within the syntax of my web.config file. It is my guess that this restriction is probably the default state for a hosted service on a shared server.
I have looked at a couple of artlcles on the MS Knowldegebase that explain the restriction and a couple of other forums where people have had a similar issue but not specifically relating to the <ipSecurity> section. Also in all the case I have read people are running their own servers, which I am not.
Can someone please, firstly confirm if my web.config file is correct and then further confirm my suspicions that this is an IIS restriction?
Thanks in advance