This is my first post and I'm an Umbraco newbie so not sure whether
i'm in the correct forum or whether this question has been
asked/answered before (a search didn't throw up any results).. here goes
:
Is it possible to prevent a site visitor from accessing the admin
login page for Umbraco. I would like to make the standard admin url
inaccessible and instead set up a dedicated url for it.
Having browsed some of the "sites using umbraco" I've noticed that
some use default behaviour where you can browse directly to admin login
and others seem to have this disabled (e.g. heinze.com). I'd like to
know how this is achieved.
Ismail makes a good point that you could ip restrict the backend. Another thing that you could do is on the IIS site for mysite.com you could redirect anyone going to the umbraco folder back to the main site and for cms.mysite.com you can set the home as /umbraco/umbraco.aspx.
The simplest is to simply rename the Umbraco folder to something else (works best with 4.5+), and set the folder name to something that's hard to guess.
Next is to restrict the access via IIS. You can set the IP Address(es) that are allowed to view the /umbraco folder (usually restructed to the client's IP addresses, and maybe the agency responsible for the site so they cab carry out maintenance if necessary). Anyone not in the address range will simply get a 404 error, and for al intents and purposes the site will not exist for them.
Next is to restrict access at the firewall. If the server is behind a firewall, you can set up a rule to restrict access to the /umbraco folder there. The error the user will get will depend on the way your firewall is configured.
If you're running IIS7+, you could write a .Net module to handle the filtering for you and add that to the website, but that would be a bit pointless as the functionality you need is already built into IIS, but it might be an option if you want to make the IP ranges that have access to the site manageable via the umbraco interface.
Finally, if your server has ISAPI_Rewrite on it, you can use conditional rules to redirect all users except for the IP ranges you want to the homepage if they try and access the umbraco admin URL.
For others that run into this issue. The cause of the issue is that
Feature Delegation doesn't allow the feature to be managed by
web.config.
To Fix:
Verify that the Feature is enabled for web.config management
In IIS 7, click on the root server Double click Feature Delegation
(under management) Scroll down to IPv4 Address and Domain Restrictions
Change the delegation to Read/Write (in my case it was Read Only,
which was the issue)
Prevent browsing to Umbraco Admin url
Hi,
This is my first post and I'm an Umbraco newbie so not sure whether i'm in the correct forum or whether this question has been asked/answered before (a search didn't throw up any results).. here goes :
Is it possible to prevent a site visitor from accessing the admin login page for Umbraco. I would like to make the standard admin url inaccessible and instead set up a dedicated url for it.
example :
prevent any visitor typing in http://www.mysite.com/umbraco/
then have the admin area accessible via :
http://cms.mysite.com/
Having browsed some of the "sites using umbraco" I've noticed that some use default behaviour where you can browse directly to admin login and others seem to have this disabled (e.g. heinze.com). I'd like to know how this is achieved.
Any help appreciated
Dave
Discussed here
http://our.umbraco.org/forum/getting-started/installing-umbraco/9055-Prevent-external-access-to-umbraco
The discuss never came to a solid conclussion, just a hack of renaming the login file.
http://our.umbraco.org/forum/getting-started/installing-umbraco/13272-How-to-Lock-Down-Umbraco-Backend
Ismail makes a good point that you could ip restrict the backend. Another thing that you could do is on the IIS site for mysite.com you could redirect anyone going to the umbraco folder back to the main site and for cms.mysite.com you can set the home as /umbraco/umbraco.aspx.
There are several ways you can do this.
The simplest is to simply rename the Umbraco folder to something else (works best with 4.5+), and set the folder name to something that's hard to guess.
Next is to restrict the access via IIS. You can set the IP Address(es) that are allowed to view the /umbraco folder (usually restructed to the client's IP addresses, and maybe the agency responsible for the site so they cab carry out maintenance if necessary). Anyone not in the address range will simply get a 404 error, and for al intents and purposes the site will not exist for them.
Next is to restrict access at the firewall. If the server is behind a firewall, you can set up a rule to restrict access to the /umbraco folder there. The error the user will get will depend on the way your firewall is configured.
If you're running IIS7+, you could write a .Net module to handle the filtering for you and add that to the website, but that would be a bit pointless as the functionality you need is already built into IIS, but it might be an option if you want to make the IP ranges that have access to the site manageable via the umbraco interface.
Finally, if your server has ISAPI_Rewrite on it, you can use conditional rules to redirect all users except for the IP ranges you want to the homepage if they try and access the umbraco admin URL.
Hope that's useful!
:)
@Tim @Seth
Hi thanks guys, very useful info. I'd forgot i'd even posted this question :)
Here's the link to restrict access to the Umbraco login to a certain set of IP addresses...
In IIS 6.0... http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/128d26dd-decb-42f9-8efb-30724d1a2f29.mspx?mfr=true
In IIS 7.0 (I haven't tested this tutorial, but I think it's the right one)... http://technet.microsoft.com/en-us/library/cc770819(WS.10).aspx
Hope this helps.
Hi,
In case you found the ipSecurity won't worked. Please enable read/write in feature delegation as described here : http://stackoverflow.com/questions/16220819/internal-server-error-with-web-config-ipsecurity
is working on a reply...