Restricting access by IP address on the Web server

You can determine the client machines that are allowed to access the HTTP and HTTPS ports of the Web server by specifying a list of IP addresses that have access, and a list of addresses that are denied access. You can also specify which list takes priority if an address matches both lists.

About this task

Addresses can include wildcard characters, so that all addresses within a certain class of address will be restricted. For example, denying access to address 123.45.6.* denies access to all addresses for that subnet. Similarly, denying access to address 123.45.* denies access to all subnets for that address.

IP address filtering is useful for managing incoming requests to your Web server -- for example, your server is behind a firewall and should only be accepting requests from the firewall and from the Domino® Administrator client. It also helps in minimizing excessive requests, such as those generated by machines infected by a Web worm.

Note: IP address restriction should not be used as the only means of protecting your site, or as a substitute for user authentication. Client IP addresses are specified in the network packets sent by the client, and this information is easily spoofed. Additionally, hackers routinely use attack techniques that hide their true IP addresses. IP address restriction cannot protect the server against such attacks.

Procedure

  1. Open the Server document you want to edit and click Edit Server.
  2. Click the Internet Protocols > HTTP tab. In the Network Settings section, complete these fields:
    Table 1. Networks Settings fields

    Field

    Action

    IP address allow/deny priority

    Specify which IP address list -- Allow or Deny -- takes priority if an incoming IP address is listed in both the allow list and the deny list (this can happen when both lists contain wildcards).

    The default is that the Allow list takes priority.

    IP address allow list

    List the IP addresses that are allowed to access the ports.

    IP address deny list

    List the IP addresses that are denied access to the ports.

Results

If a client IP address does not match either list, then the connection is allowed.
Table 2. Examples of typical IP address restriction settings

Example configuration

Settings

Comment

Allow access to all addresses (leave default settings)

IP address allow/deny priority: Allow

IP address allow list:

IP address deny list:

Leave IP address allow list and IP address deny list blank.

Deny access to everyone

IP address allow/deny priority: Deny

IP address allow list: *

IP address deny list: *

--

Deny access to a particular Web crawler

IP address allow/deny priority: Deny

IP address allow list: *

IP address deny list: 123.45.6.78

All addresses are allowed, but crawler is denied because it matches the deny list, which takes priority over the allow list.

Deny access from subnets that are infected with a Web worm

IP address allow/deny priority: Deny

IP address deny list: 123.45.*; 95.123.4.*

IP address allow list: *

--

Allow access only from two trusted proxy servers

IP address allow/deny priority: Allow

IP address allow list: 123.45.6.78; 123.45.6.79

IP address deny list: *

In this case, you must use a wildcard in the deny list so that all other addresses will explicitly match that list.