If I have a load balanced environment setup with distributedCall="true", is there any security to step the republish calls from being made externally? I would imagine that be default an external user could make calls against whichever server they are allocated by the load balancer. A DoS target at these calls would cripple a server I should imagine.
You could try creating a web.config file in each server's web services folder and add an IP restriction rule to only allow certain addresses. For example, local servers only. Try adding the below web.config file to the folder /umbraco/webservices/ and amending the authorized IP list to your local servers only.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rewriteMaps>
<rewriteMap name="Authorized IPs">
<add key="127.0.0.1" value="1" />
<add key="127.0.0.2" value="1" />
</rewriteMap>
</rewriteMaps>
<rules>
<rule name="Block Unauthorized IPs" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions logicalGrouping="MatchAll">
<add input="{Authorized IPs:{HTTP_X_FORWARDED_FOR}}" pattern="1" negate="true" />
<add input="{Authorized IPs:{REMOTE_ADDR}}" pattern="1" negate="true" />
</conditions>
<action type="CustomResponse" statusCode="404" statusReason="File or directory not found." statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
I think the difficulty with the above solution is developer's would have to maintain two separate lists of IP addresses. If the Cache Refresher service could only allow addresses from umbracoSettings.config, that would be awesome.
Blocking malicious distributed calls
Hi Umbraco peeps,
If I have a load balanced environment setup with distributedCall="true", is there any security to step the republish calls from being made externally? I would imagine that be default an external user could make calls against whichever server they are allocated by the load balancer. A DoS target at these calls would cripple a server I should imagine.
You could change the port (http://our.umbraco.org/documentation/installation/load-balancing) and block it via a firewall?!
I'm not expert in such matters so please enlighten me if there is some kind of validation from the origin of the request.
Ta,
David
You could try creating a web.config file in each server's web services folder and add an IP restriction rule to only allow certain addresses. For example, local servers only. Try adding the below web.config file to the folder /umbraco/webservices/ and amending the authorized IP list to your local servers only.
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <rewrite> <rewriteMaps> <rewriteMap name="Authorized IPs"> <add key="127.0.0.1" value="1" /> <add key="127.0.0.2" value="1" /> </rewriteMap> </rewriteMaps> <rules> <rule name="Block Unauthorized IPs" patternSyntax="Wildcard" stopProcessing="true"> <match url="*" /> <conditions logicalGrouping="MatchAll"> <add input="{Authorized IPs:{HTTP_X_FORWARDED_FOR}}" pattern="1" negate="true" /> <add input="{Authorized IPs:{REMOTE_ADDR}}" pattern="1" negate="true" /> </conditions> <action type="CustomResponse" statusCode="404" statusReason="File or directory not found." statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." /> </rule> </rules> </rewrite> </system.webServer> </configuration>Hi Dan,
What a simple, but perfect solution. That will do it!
It might be Core feature to have this built in to umbracoSettings.config, especially after last year's security vulnerabilities. I'll suggest it.
David
I think the difficulty with the above solution is developer's would have to maintain two separate lists of IP addresses. If the Cache Refresher service could only allow addresses from umbracoSettings.config, that would be awesome.
Do the webservices all require a logged in Umbraco User? If so perhaps it's a moot point.
I'm not sure about all them but the Cache Refresher does.
is working on a reply...