IIS - Nested comments in config files

27 August 2015

One nice feature of XML based configuration is that you can add comments anywhere to explain why a certain configuration value has been set this way.

For IIS I use this most often to comment on the IP addresses I use to allow for certain sites, like:

<system.webServer>
    <security>
        <ipSecurity allowUnlisted="false">
            <!-- Susan's laptop -->
            <add ipAddress="25.88.25.25" allowed="true"/>
            <!-- public IP at work -->
            <add ipAddress="165.25.26.25" allowed="true" />
            <!-- local home network -->
            <add ipAddress="192.168.50.0" subnetMask="255.255.255.0" allowed="true" />
            <!-- explicit deny Mark's network -->
            <add ipAddress="58.57.56.0" subnetMask="255.255.255.0" allowed="false" /> 
        </ipSecurity>
    </security>
</system.webServer>

without these comments I would sometime come back to the configuration and would not know what these addresses are and whether I would still need them.

The other day I had to allow access to a site from everywhere, I could not just change the 'allowUnlisted' value because I have both 'allow' and 'deny' entries in the list.

Normally I would just comment out the whole 'ipSecurity' node, but this isn't possible because XML does not allow nested comments.

My first fix was to move the specific comments out of the node into its own comment section, that works but it's a pain if you have many comments and you are loosing the direct association with the add node.

<!-- ipSecurity info:
     5.88.25.25 = Susan's laptop
     165.25.26.25 = public IP at work
     ...
-->

A cleaner solution is to extend the IIS schema to allow a comment directly on the 'add' node.

To do that I created a new file:
%systemroot%\System32\inetsrv\config\schema\my_schema.xml
with the following content:
<configSchema> 
    <sectionSchema name="system.webServer/security/ipSecurity"> 
        <collection addElement="add" >
           <attribute name="remark" type="string" defaultValue=""  />
        </collection>
    </sectionSchema>     
</configSchema> 
I'm adding a new attribute to the 'add' node, which allows me to add my comment directly on the node like this:
<system.webServer>
    <security>
        <ipSecurity allowUnlisted="false">
            <add ipAddress="25.88.25.25" allowed="true" remark="Susan's laptop" />
            <add ipAddress="165.25.26.25" allowed="true" remark="public IP at work" />
            <add ipAddress="192.168.50.0" subnetMask="255.255.255.0" allowed="true" remark="local home network" />
            <add ipAddress="58.57.56.0" subnetMask="255.255.255.0" allowed="false" remark="explicit deny Mark's network" /> 
        </ipSecurity>
    </security>
</system.webServer>

This doesn't show up in the IIS Manager UI, but in the configuration editor:

config editor

This means I can edit my comments in the GUI and don't have to edit the config file directly anymore.

If you use that web.config on a different server you have to remember to copy the 'my_schema.xml' file as well, otherwise you will get a '500.19' configuration error complaining:

Unrecognized attribute 'remark'

Pages in this section

Categories

ASP.Net | Community | Development | IIS | IT Pro | Security | SQL (Server) | Tools | Web | Work on the road | Windows