Could someone help me please :), I'm new to umbraco and need some guidance on the best way to secure an umbraco installation that would be externally viewable on the internet. I wish to be able to disable access to all administration features externally and only allow access to all administration features internally on my network. My inital thoughts was to create 2 seperate IIS websites, 1 for external use, 1 for internal use and restricting the external one as necessary. I'm using IIS6 on win2003 x64. If someone could tell me if I am heading in the right direction, or if there are any other more suitable alternatives that would be super.
Having two servers with one external and one internal that both work against the same content is the most secure approach... you can remove the /umbraco_client folder from the external server and there is no way to change the content from that server.
Actually, Tim is onto somthing... you could have a single live server in your DMZ and restrict access to a bunch of the site (all the umbraco admin stuff) with firewall or IP permissions.
Though not as secure as not having the files on the external server at all, it might be enough for you and you wouldn't have to have 2 servers in a load-balanced environment, which adds cost and complexity.
With regards to a load-balanced environment how can you ensure that all the files + folders that need to be copied over (what are they??..)
are in sync with the current content in the database (robocopy?? what refresh period would be required?? or can umbraco copy the files for you??).
Unfortunately at the moment I dont have a subscription to be able to view the load-balanced video (past the 3 minute mark)
and still trying to piece together the internal processes / architecture on how umbraco works. I've seen the courier product mentioned for umbraco pro, does this make the task of load-balancing any easier, what eactly does it do?
Sorry for so many questions .... it's all a bit new to me at the moment ...
Hi, Steveo, and welcome to umbraco (forgot to welcome you with your original post...better late than never though)!
Umbraco fully supports working in a load-balanced environment but it doesn't have load-balancing built-in. You need to set that up yourself. There are various posts and wiki articles about this but the general idea is that you have multiple servers all pointing to the same database but with the website files sync'd between them. You can do with with a SAN (best), DFS (good), NAS (can be problematic depending on permissions), or file sync tool (can work but not ideal). You'll also need a load balancer of some kind (software or hardware as your need dictates).
But I wouldn't start out with umbraco in a load-balanced environment until I were better aquainted with it in a traditional single-server setup. That simply removes complexity while you're getting your head around umbraco, how it works, etc. You can easily update umbraco to a load-balanced configuration with a few .config file entries later on.
Also, spend the few quid on a month of umbraco.tv. You'll easily save more time than you'll spend, and you'll learn lots. It's also a valuable resource to return to. At a minimum, watch the free videos and as many of the 3-5 minute video intros even if you don't have a subscription to see the whole thing. There's good stuff even in the first minutes of these "no fluff" vids.
As for Courier... that isn't so much for load-balanced sites as it is for staging <-> production deployment of content and media. Probably not what you need at this moment.
Securing Umbraco
Could someone help me please :), I'm new to umbraco and need some guidance on the best way to secure an umbraco installation that would be externally viewable on the internet. I wish to be able to disable access to all administration features externally and only allow access to all administration features internally on my network. My inital thoughts was to create 2 seperate IIS websites, 1 for external use, 1 for internal use and restricting the external one as necessary. I'm using IIS6 on win2003 x64. If someone could tell me if I am heading in the right direction, or if there are any other more suitable alternatives that would be super.
Cheers,
Steveo
You could always prevent access to the umbraco folder based on IP address. You can set this in IIS.
In the Directory Security tab there is a section called IP address and domain name restrictions.
You can then set it to only allow access via your IP address.
T
Having two servers with one external and one internal that both work against the same content is the most secure approach... you can remove the /umbraco_client folder from the external server and there is no way to change the content from that server.
This is explained in the umbraco.tv episode about load balancing. http://umbraco.org/documentation/videos/for-site-builders/load-balancing/how-to-setup-load-balancing
You'll also want to turn off all debugging features on the live site (set in the web.config).
And secure the file permissions. Here's a script to do that: http://blog.vizioz.com/2009/10/umbraco-permissions-script-secure.html
cheers,
doug.
Ignore me I'm being dopey. Typing without thinking.
Listen to Douglas not me :-)
I wish I could delete posts!
T
Actually, Tim is onto somthing... you could have a single live server in your DMZ and restrict access to a bunch of the site (all the umbraco admin stuff) with firewall or IP permissions.
Though not as secure as not having the files on the external server at all, it might be enough for you and you wouldn't have to have 2 servers in a load-balanced environment, which adds cost and complexity.
Nice idea, Tim!
cheers,
doug.
Hah!
I wasn't as befuddled as I thought!
Although I think I still misread the question, to which your answer is more along the lines he has suggested.
T
Hiya,
Thanks for the speedy responses and ideas :)
With regards to a load-balanced environment how can you ensure that all the files + folders that need to be copied over (what are they??..)
are in sync with the current content in the database (robocopy?? what refresh period would be required?? or can umbraco copy the files for you??).
Unfortunately at the moment I dont have a subscription to be able to view the load-balanced video (past the 3 minute mark)
and still trying to piece together the internal processes / architecture on how umbraco works. I've seen the courier product mentioned for umbraco pro, does this make the task of load-balancing any easier, what eactly does it do?
Sorry for so many questions .... it's all a bit new to me at the moment ...
Thanks once again :)
Cheers,
Steveo
Hi, Steveo, and welcome to umbraco (forgot to welcome you with your original post...better late than never though)!
Umbraco fully supports working in a load-balanced environment but it doesn't have load-balancing built-in. You need to set that up yourself. There are various posts and wiki articles about this but the general idea is that you have multiple servers all pointing to the same database but with the website files sync'd between them. You can do with with a SAN (best), DFS (good), NAS (can be problematic depending on permissions), or file sync tool (can work but not ideal). You'll also need a load balancer of some kind (software or hardware as your need dictates).
But I wouldn't start out with umbraco in a load-balanced environment until I were better aquainted with it in a traditional single-server setup. That simply removes complexity while you're getting your head around umbraco, how it works, etc. You can easily update umbraco to a load-balanced configuration with a few .config file entries later on.
Also, spend the few quid on a month of umbraco.tv. You'll easily save more time than you'll spend, and you'll learn lots. It's also a valuable resource to return to. At a minimum, watch the free videos and as many of the 3-5 minute video intros even if you don't have a subscription to see the whole thing. There's good stuff even in the first minutes of these "no fluff" vids.
As for Courier... that isn't so much for load-balanced sites as it is for staging <-> production deployment of content and media. Probably not what you need at this moment.
Hope this helps. Shout with more questions.
cheers,
doug.
I think that currently if you sign up for umbraco.tc you get 3 months for the price of 1 as well
is working on a reply...