Absolutely! You can absolutely lock down just /blog/admin.php with IP restrictions in IIS—no need to apply rules site-wide. I’ve done this dozens of times, so here’s the straightforward way to make it happen:

First, Check Your IIS Modules #

Before diving in, make sure you have either:

• The URL Rewrite module installed (most flexible for this use case), or
• The IP and Domain Restrictions feature enabled (part of IIS's core security tools)

You can verify these via IIS Manager under "Modules" or "Features View."

Method 1: Using URL Rewrite (Recommended) #

This is my go-to because it’s easy to adjust and works with most IIS versions. Add this code inside the <system.webServer> block of your web.config:

<rewrite>
  <rules>
    <rule name="Restrict Admin PHP IP Access" stopProcessing="true">
      <!-- Exact match for the admin file -->
      <match url="^blog/admin.php$" />
      <conditions logicalGrouping="MatchAll">
        <!-- Block anyone NOT in these IPs (replace with your trusted addresses) -->
        <add input="{REMOTE_ADDR}" pattern="^192\.168\.1\.100$" negate="true" />
        <add input="{REMOTE_ADDR}" pattern="^10\.0\.0\.5$" negate="true" />
        <!-- Add more lines for additional IPs/subnets -->
      </conditions>
      <!-- Return 403 Forbidden for unallowed users -->
      <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="You don't have permission to access this page." />
    </rule>
  </rules>
</rewrite>

Quick Tweaks for Your Setup: #

• match url: The regex ^blog/admin.php$ targets exactly that file. If your path is case-sensitive (rare on Windows, but possible), adjust the case to match your actual file.
• IP Patterns: Replace the example IPs with your trusted ones. Use regex syntax—remember to escape dots with \. (since dots in regex match any character). For a subnet, use something like ^192\.168\.1\.[0-9]+$ for 192.168.1.x.
• Negate="true": This means the rule triggers when the visitor’s IP doesn’t match any of the allowed entries—perfect for blocking everyone except your trusted list.

Method 2: Using IP and Domain Restrictions (Built-In IIS) #

If you prefer using IIS’s native security tools instead of URL Rewrite, wrap a location block around the IP restriction rules in your web.config:

<location path="blog/admin.php">
  <system.webServer>
    <security>
      <ipSecurity allowUnlisted="false">
        <!-- Allow specific IPs -->
        <add allowed="true" ipAddress="192.168.1.100" />
        <add allowed="true" ipAddress="10.0.0.5" />
        <!-- Allow an entire subnet -->
        <add allowed="true" ipAddress="172.16.0.0" subnetMask="255.255.0.0" />
      </ipSecurity>
    </security>
  </system.webServer>
</location>

Important Notes for This Method: #

• allowUnlisted="false" tells IIS to block every IP except those you explicitly add.
• You must have the IP and Domain Restrictions feature installed (you can add it via Windows Server Manager or IIS Manager’s "Add Features" option).

Test It Out! #

After saving your web.config, grab a device with an unallowed IP and try accessing /blog/admin.php—you should get a 403 error. From your trusted IPs, the page should load normally. If something’s off, double-check your regex patterns or IP entries—typos here are the most common issue.

内容的提问来源于stack exchange，提问作者Chris