Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Craig Cronin 303 posts 502 karma points
    Jul 30, 2015 @ 14:21
    Craig Cronin
    0

    Securing the umbraco admin folder

    We've currently got a website that has just gone live. We only want users from inside our network to be able to update the website.

    I've looked at the issue this afternoon and it looks like I can restrict access to the folder through IIS and IP Filtering.

    The issue is that I button which calls a surface controller, and when the restriction is on I get redirected to the surface controller instead.

    http://www.ourdomain.co.uk/umbraco/Surface/LanguageSurface/English?currentId=1054

    I need to all to protect this folder but still allow surface controllers to be used.

    Would really appreciate some help with this....Please.

  • Hywel Rees 56 posts 224 karma points
    Aug 07, 2015 @ 15:30
    Hywel Rees
    0

    Hi Craig,

    I was in this exact situation a month or so ago.

    I needed to lockdown access to the login screen, but allow access to Surface controllers, the api, contour etc.

    I achieved this by creating an IPWhitelistModule in the App_Code folder.

    All you need to do is implement IHttpModule something like this:

    public class IPWhitelistModule : IHttpModule
    {
        public void Dispose()
        {
            // Nothing to dispose
        }
    
        public void Init(HttpApplication context)
        {
            context.BeginRequest += new EventHandler(this.Application_BeginRequest);
        }
    
        private void Application_BeginRequest(object source, EventArgs e)
        {
            HttpApplication application = (HttpApplication) source;
            HttpContext context = application.Context;
    
            string address = context.Request.UserHostAddress;
            string filePath = context.Request.FilePath;
    
            if (filePath.ToLower().Contains("umbraco")
                && !filePath.ToLower().Contains("umbraco/api")
                && !filePath.ToLower().Contains("umbraco/surface")
                && !filePath.ToLower().Contains("umbraco/plugins")
                && !filePath.ToLower().Contains("umbraco/webservices")
                && !filePath.ToLower().Contains("umbraco/backoffice")
                && !address.StartsWith("10.") 
                && !address.StartsWith("192.168."))
            {
                // Request is from an unauthorised IP, so redirect to 404
                string redirect = "http://" + context.Request.Url.Host + "/404";
    
                context.Response.StatusCode = 404;
                context.Response.Status = "404 Page not found";
                context.Response.Redirect(redirect);
            }
        }
    }
    

    Not perfect, but a good start. In my implementation, I also have a whitelist file, which gets loaded & cached on application startup, so external IP addresses can be added if desired.


    I also have a small check inside the inner If statement, so I am able to trigger a reload of the whitelist file without having to recycle the app pool, or touch any config files.


    Cheers, Hywel

  • Hywel Rees 56 posts 224 karma points
    Aug 07, 2015 @ 15:35
    Hywel Rees
    1

    Oh, and of course - you will need to register your new module in the

    <system.webServer>
        <!-- Some stuff here -->
        <modules>
          <!-- Some stuff here -->
          <add name="IPWhitelistModule" type="IPWhitelistModule" />
        </modules>
        <!-- Some stuff here -->
    </system.webServer>
    
  • Arie 224 posts 675 karma points
    Aug 10, 2015 @ 01:03
    Arie
    0

    Another option would be to use URL Rewrite in IIS:

    http://www.iis.net/downloads/microsoft/url-rewrite

    Or, if you're lucky you have a WAF or ADC in front of your web server/farm and you can secure it there.

  • Craig Cronin 303 posts 502 karma points
    Aug 10, 2015 @ 11:55
    Craig Cronin
    0

    Thanks both for getting back with the suggestions. I'm not sure why but my implementation for my surface controller was having problems when I secured my umbraco folder by IP address.

    I changed the implementation and everything works now even though the site uses other surface controllers?

    So if anyone comes across the post, restricting by IP on the umbraco folder should work even if you are using surface controllers.

    I think I'm going to look into the url-rewrite though to see if this can be done by IP address. Then external users can be sent to a 404 page, whilst internal users get the desired access.

  • Craig Cronin 303 posts 502 karma points
    Feb 17, 2016 @ 15:11
    Craig Cronin
    0

    I've been having problems with this again and only just realised that my solution of IP restrictions didn't fully work.

    Hywel, great advice, your solution works perfectly.

Please Sign in or register to post replies

Write your reply to:

Draft