I've noticed that despite having checked webservices are turned off in the Umbraco.config, if I browse to any of the asmx files I still get a complete breakdown of each service and how to use them (standard MS web service pages).
Is the easy option to simply remove the entire folder and the umbraco.webservices DLL. Or can I configure something in the web.confg to turn these pages completely off?
I've also noticed there's a spattering of services in other folders too and Contour has a couple! I suppose the easiest thing to do is to search for asmx files and delete them.
Does anybody have any answers for this? I still have a whole bunch of wide open web services that I cannot turn off. I would resort to deleting the files but I don't know if the back office uses/requires any of them.
You could add a new web.config file to the web services folder and add the following contents. This restricts access to the folder by IP address. More information can be found on this blog post.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rewriteMaps>
<rewriteMap name="Authorized IPs">
<add key="127.0.0.1" value="1"/>
<add key="127.0.0.2" value="1"/>
</rewriteMap>
</rewriteMaps>
<rules>
<rule name="Block Unauthorized IPs"
patternSyntax="Wildcard"
stopProcessing="true">
<match url="*"/>
<conditions logicalGrouping="MatchAll">
<add input="{Authorized IPs:{HTTP_X_FORWARDED_FOR}}"
pattern="1"
negate="true"/>
<add input="{Authorized IPs:{REMOTE_ADDR}}"
pattern="1"
negate="true"/>
</conditions>
<action type="CustomResponse"
statusCode="404"
statusReason="File or directory not found."
statusDescription="The resource you are looking for might have
been removed, had its name changed, or is
temporarily unavailable."/>
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Thanks for the info. the blog entry was very useful. But one thing still pains me, which is why do the security settings in the umbracoSettings.config not work as expected?
You'll need to add the IP addresses that you want access to the web services folder. For example, the local machine's IP address or any content editor's IP address. I forgot to mention that you will also need the Url Rewrite extension installed for it to work.
Ahh I see what you mean, that's not really any different than setting up IP address and domain restrictions at folder level.
What I want is to completely turn off access to the webservices for everyone except logged in back office users. Something you should be able to do out of the box!
I've raised this issue as a bug. Sebastiaan Janssen initially brushed it off as an error on my part. But I explained my problem in more detail and he says he's going to look into it.
The safest way to deal with services you have no intention of exposing is (on his advice) to delete the webservices dll. I've done this and they're now all dead to everyone outside of the backoffice.
Umbraco Webservices
Hi all
I've noticed that despite having checked webservices are turned off in the Umbraco.config, if I browse to any of the asmx files I still get a complete breakdown of each service and how to use them (standard MS web service pages).
Is the easy option to simply remove the entire folder and the umbraco.webservices DLL. Or can I configure something in the web.confg to turn these pages completely off?
Any help on this appreciated.
Thanks in advance
Martin
Hi
Have you added your webservice folder to the umbracroReservedPath in the web.config?
/Paul S
I've also noticed there's a spattering of services in other folders too and Contour has a couple! I suppose the easiest thing to do is to search for asmx files and delete them.
Martin.
Does anybody have any answers for this? I still have a whole bunch of wide open web services that I cannot turn off. I would resort to deleting the files but I don't know if the back office uses/requires any of them.
I'm using Umbraco 6.1.6
You could add a new web.config file to the web services folder and add the following contents. This restricts access to the folder by IP address. More information can be found on this blog post.
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <rewrite> <rewriteMaps> <rewriteMap name="Authorized IPs"> <add key="127.0.0.1" value="1"/> <add key="127.0.0.2" value="1"/> </rewriteMap> </rewriteMaps> <rules> <rule name="Block Unauthorized IPs" patternSyntax="Wildcard" stopProcessing="true"> <match url="*"/> <conditions logicalGrouping="MatchAll"> <add input="{Authorized IPs:{HTTP_X_FORWARDED_FOR}}" pattern="1" negate="true"/> <add input="{Authorized IPs:{REMOTE_ADDR}}" pattern="1" negate="true"/> </conditions> <action type="CustomResponse" statusCode="404" statusReason="File or directory not found." statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable."/> </rule> </rules> </rewrite> </system.webServer> </configuration>Hi Dan
Thanks for the info. the blog entry was very useful. But one thing still pains me, which is why do the security settings in the umbracoSettings.config not work as expected?
M.
Hi Dan
I actually couldnt get this to work on our box. What exactly do I add in? Is it here?
You'll need to add the IP addresses that you want access to the web services folder. For example, the local machine's IP address or any content editor's IP address. I forgot to mention that you will also need the Url Rewrite extension installed for it to work.
Ahh I see what you mean, that's not really any different than setting up IP address and domain restrictions at folder level.
What I want is to completely turn off access to the webservices for everyone except logged in back office users. Something you should be able to do out of the box!
M.
Hi Dan
I've raised this issue as a bug. Sebastiaan Janssen initially brushed it off as an error on my part. But I explained my problem in more detail and he says he's going to look into it.
The safest way to deal with services you have no intention of exposing is (on his advice) to delete the webservices dll. I've done this and they're now all dead to everyone outside of the backoffice.
M.
is working on a reply...