Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • Craig Cronin 303 posts 502 karma points
    Jul 30, 2015 @ 14:21
    Craig Cronin

    Securing the umbraco admin folder

    We've currently got a website that has just gone live. We only want users from inside our network to be able to update the website.

    I've looked at the issue this afternoon and it looks like I can restrict access to the folder through IIS and IP Filtering.

    The issue is that I button which calls a surface controller, and when the restriction is on I get redirected to the surface controller instead.

    I need to all to protect this folder but still allow surface controllers to be used.

    Would really appreciate some help with this....Please.

  • Hywel Rees 56 posts 224 karma points
    Aug 07, 2015 @ 15:30
    Hywel Rees

    Hi Craig,

    I was in this exact situation a month or so ago.

    I needed to lockdown access to the login screen, but allow access to Surface controllers, the api, contour etc.

    I achieved this by creating an IPWhitelistModule in the App_Code folder.

    All you need to do is implement IHttpModule something like this:

    public class IPWhitelistModule : IHttpModule
        public void Dispose()
            // Nothing to dispose
        public void Init(HttpApplication context)
            context.BeginRequest += new EventHandler(this.Application_BeginRequest);
        private void Application_BeginRequest(object source, EventArgs e)
            HttpApplication application = (HttpApplication) source;
            HttpContext context = application.Context;
            string address = context.Request.UserHostAddress;
            string filePath = context.Request.FilePath;
            if (filePath.ToLower().Contains("umbraco")
                && !filePath.ToLower().Contains("umbraco/api")
                && !filePath.ToLower().Contains("umbraco/surface")
                && !filePath.ToLower().Contains("umbraco/plugins")
                && !filePath.ToLower().Contains("umbraco/webservices")
                && !filePath.ToLower().Contains("umbraco/backoffice")
                && !address.StartsWith("10.") 
                && !address.StartsWith("192.168."))
                // Request is from an unauthorised IP, so redirect to 404
                string redirect = "http://" + context.Request.Url.Host + "/404";
                context.Response.StatusCode = 404;
                context.Response.Status = "404 Page not found";

    Not perfect, but a good start. In my implementation, I also have a whitelist file, which gets loaded & cached on application startup, so external IP addresses can be added if desired.

    I also have a small check inside the inner If statement, so I am able to trigger a reload of the whitelist file without having to recycle the app pool, or touch any config files.

    Cheers, Hywel

  • Hywel Rees 56 posts 224 karma points
    Aug 07, 2015 @ 15:35
    Hywel Rees

    Oh, and of course - you will need to register your new module in the

        <!-- Some stuff here -->
          <!-- Some stuff here -->
          <add name="IPWhitelistModule" type="IPWhitelistModule" />
        <!-- Some stuff here -->
  • Arie 224 posts 675 karma points
    Aug 10, 2015 @ 01:03

    Another option would be to use URL Rewrite in IIS:

    Or, if you're lucky you have a WAF or ADC in front of your web server/farm and you can secure it there.

  • Craig Cronin 303 posts 502 karma points
    Aug 10, 2015 @ 11:55
    Craig Cronin

    Thanks both for getting back with the suggestions. I'm not sure why but my implementation for my surface controller was having problems when I secured my umbraco folder by IP address.

    I changed the implementation and everything works now even though the site uses other surface controllers?

    So if anyone comes across the post, restricting by IP on the umbraco folder should work even if you are using surface controllers.

    I think I'm going to look into the url-rewrite though to see if this can be done by IP address. Then external users can be sent to a 404 page, whilst internal users get the desired access.

  • Craig Cronin 303 posts 502 karma points
    Feb 17, 2016 @ 15:11
    Craig Cronin

    I've been having problems with this again and only just realised that my solution of IP restrictions didn't fully work.

    Hywel, great advice, your solution works perfectly.

Please Sign in or register to post replies

Write your reply to: