I needed to lockdown access to the login screen, but allow access to Surface controllers, the api, contour etc.
I achieved this by creating an IPWhitelistModule in the App_Code folder.
All you need to do is implement IHttpModule something like this:
public class IPWhitelistModule : IHttpModule
{
public void Dispose()
{
// Nothing to dispose
}
public void Init(HttpApplication context)
{
context.BeginRequest += new EventHandler(this.Application_BeginRequest);
}
private void Application_BeginRequest(object source, EventArgs e)
{
HttpApplication application = (HttpApplication) source;
HttpContext context = application.Context;
string address = context.Request.UserHostAddress;
string filePath = context.Request.FilePath;
if (filePath.ToLower().Contains("umbraco")
&& !filePath.ToLower().Contains("umbraco/api")
&& !filePath.ToLower().Contains("umbraco/surface")
&& !filePath.ToLower().Contains("umbraco/plugins")
&& !filePath.ToLower().Contains("umbraco/webservices")
&& !filePath.ToLower().Contains("umbraco/backoffice")
&& !address.StartsWith("10.")
&& !address.StartsWith("192.168."))
{
// Request is from an unauthorised IP, so redirect to 404
string redirect = "http://" + context.Request.Url.Host + "/404";
context.Response.StatusCode = 404;
context.Response.Status = "404 Page not found";
context.Response.Redirect(redirect);
}
}
}
Not perfect, but a good start.
In my implementation, I also have a whitelist file, which gets loaded & cached on application startup, so external IP addresses can be added if desired.
I also have a small check inside the inner If statement, so I am able to trigger a reload of the whitelist file without having to recycle the app pool, or touch any config files.
Oh, and of course - you will need to register your new module in the
<system.webServer>
<!-- Some stuff here -->
<modules>
<!-- Some stuff here -->
<add name="IPWhitelistModule" type="IPWhitelistModule" />
</modules>
<!-- Some stuff here -->
</system.webServer>
Thanks both for getting back with the suggestions. I'm not sure why but my implementation for my surface controller was having problems when I secured my umbraco folder by IP address.
I changed the implementation and everything works now even though the site uses other surface controllers?
So if anyone comes across the post, restricting by IP on the umbraco folder should work even if you are using surface controllers.
I think I'm going to look into the url-rewrite though to see if this can be done by IP address. Then external users can be sent to a 404 page, whilst internal users get the desired access.
Securing the umbraco admin folder
We've currently got a website that has just gone live. We only want users from inside our network to be able to update the website.
I've looked at the issue this afternoon and it looks like I can restrict access to the folder through IIS and IP Filtering.
The issue is that I button which calls a surface controller, and when the restriction is on I get redirected to the surface controller instead.
http://www.ourdomain.co.uk/umbraco/Surface/LanguageSurface/English?currentId=1054
I need to all to protect this folder but still allow surface controllers to be used.
Would really appreciate some help with this....Please.
Hi Craig,
I was in this exact situation a month or so ago.
I needed to lockdown access to the login screen, but allow access to Surface controllers, the api, contour etc.
I achieved this by creating an IPWhitelistModule in the App_Code folder.
All you need to do is implement IHttpModule something like this:
Not perfect, but a good start. In my implementation, I also have a whitelist file, which gets loaded & cached on application startup, so external IP addresses can be added if desired.
I also have a small check inside the inner If statement, so I am able to trigger a reload of the whitelist file without having to recycle the app pool, or touch any config files.
Cheers, Hywel
Oh, and of course - you will need to register your new module in the
Another option would be to use URL Rewrite in IIS:
http://www.iis.net/downloads/microsoft/url-rewrite
Or, if you're lucky you have a WAF or ADC in front of your web server/farm and you can secure it there.
Thanks both for getting back with the suggestions. I'm not sure why but my implementation for my surface controller was having problems when I secured my umbraco folder by IP address.
I changed the implementation and everything works now even though the site uses other surface controllers?
So if anyone comes across the post, restricting by IP on the umbraco folder should work even if you are using surface controllers.
I think I'm going to look into the url-rewrite though to see if this can be done by IP address. Then external users can be sent to a 404 page, whilst internal users get the desired access.
I've been having problems with this again and only just realised that my solution of IP restrictions didn't fully work.
Hywel, great advice, your solution works perfectly.
is working on a reply...