Web Hosting - Firewall Options

Those who wish to restrict website access to specific IPs and/or ranges have various options:

1. Self-service using a local configuration file:  .htaccess on Linux or web.config on Windows.  This can be used to protect sub-directories as well (see below).

2. Contact Web Hosting to configure the restrictions at the vhost.config level on Linux and in IIS on Windows (outside of your file system).

3. Use Platform Firewall Utility (PaloAlto).  The Web Hosting service will coordinate this process for you and requires a move to dedicated IPs for the. site(s).

Platform Firewall Rule Set Options

These rules apply to the site's IP and cannot be used to protect subdirectories with different sets of rules than the rest of the site.

  • DoIT Data Center
  • Static WiscVPN + DoIT Staff networks
  • Management Address Groups (Data Center, DoIT Staff, Static VPN)
  • UW-Madison
  • UW System
  • World
  • Or Custom rules

 For assistance, please email webhosting@doit.wisc.edu with the details of your firewall rules request.

Sub-directory Protection

If you require sub-directory protection (e.g. mysite.wisc.edu/subfolder/), there are manual ways to implement firewall rules on an individual path(s).  Depending on the platform and nature of the application, you can accomplish sub-directory protection with a variety of methods (Apache rules in vhost.conf or .htaccess, Win/IIS web.config, etc.).

Please be aware: Keeping up with the ever-changing rules that make up Campus IP space can be difficult and time-consuming. One way of overcoming this sub-directory dilemma for campus rule sets is to break out the sub-directory into its own domain and redirect to it. For Example: Making the following change...

mysite.wisc.edu/adminadmin.mysite.wisc.edu
...would allow the new domain to make use of the platform firewall.