I have umbraco up and running, now I'd like to prevent http://servername.com/umbraco/# from the internet. This is umbraco 4.0.3 on Win 2008 IIS7. The IP4 block in IIS7 doesn't seem to be able to prevent access to the admin page. I'd prefer not to rename the /umbraco folder at all.
Hi Petr, ipsecurity element is the IP4 block that I already mentioned above which does not work. I guess there is no way to prevent logging in to the admin page from external.
mmm... IP4 address restrictions should work, I you put them on the folder, and remember to set it to DENY ALL as default. Could you put up a screenshot of the settings you have on the folder?
IP4 address restriction will not work, since this will block everything. I don't want to block everything, just people outside the firewall, but still allow inside people to get in. Inside firewall there are public IP addresses, which is why the filtering won't work.
Renaming the login.aspx as Petr suggested might work and easiest; I can let others use different name to manage contents. Is there potential problem by renaming the login.aspx, like other modules might use it?
The problem would be that people could still guess the new URL.
How about plain old IIS authentication? Go to your site in IIS, click on the /umbraco folder and go to "Authentication". Disable anonymous authentication and enable some other form of authentication. That way it will only work on the /umbraco folder.
For others that run into this issue. The cause of the issue is that Feature Delegation doesn't allow the feature to be managed by web.config.
To Fix:
Verify that the Feature is enabled for web.config management
In IIS 7, click on the root server Double click Feature Delegation (under management) Scroll down to IPv4 Address and Domain Restrictions Change the delegation to Read/Write (in my case it was Read Only, which was the issue)
Prevent external access to /umbraco
I have umbraco up and running, now I'd like to prevent http://servername.com/umbraco/# from the internet. This is umbraco 4.0.3 on Win 2008 IIS7. The IP4 block in IIS7 doesn't seem to be able to prevent access to the admin page. I'd prefer not to rename the /umbraco folder at all.
Is there a way that I can do this?
htaccess?
Sorry - if I'm way off the mark... just moved over from apache
I believe you can use the htaccess (or it's IIS equivalent) to do this.
Or you could write a HttpModule to do it.
What about using ipsecurity element?
http://www.iis.net/ConfigReference/system.webServer/security/ipSecurity
Petr
Hi Petr, ipsecurity element is the IP4 block that I already mentioned above which does not work. I guess there is no way to prevent logging in to the admin page from external.
Is there a way I can change the default port for the admin login? this would be an easier work around.
Not sure but may be it works
You can rename login.aspx to something else and add "fake" default.aspx which redirect to google...
You also can add your own logic to default.aspx, which redirect only internet users to something like not authorized ....
mmm... IP4 address restrictions should work, I you put them on the folder, and remember to set it to DENY ALL as default. Could you put up a screenshot of the settings you have on the folder?
IP4 address restriction will not work, since this will block everything. I don't want to block everything, just people outside the firewall, but still allow inside people to get in. Inside firewall there are public IP addresses, which is why the filtering won't work.
Renaming the login.aspx as Petr suggested might work and easiest; I can let others use different name to manage contents. Is there potential problem by renaming the login.aspx, like other modules might use it?
The problem would be that people could still guess the new URL.
How about plain old IIS authentication? Go to your site in IIS, click on the /umbraco folder and go to "Authentication". Disable anonymous authentication and enable some other form of authentication. That way it will only work on the /umbraco folder.
If it's only internal, could you use an internal ip that wouldn't get any traffic from outside the firewall?
Why on earth do you have ppl with public IP numbers on your internal network, behind the firewall?
Well no idea then, unless you will add the IP addresses (with network masks).
regards,
Steen
I decided to just renamed the aspx, it's just the easiest.
This code (IIS 7.5+) will show it as not found for unlisted IP addresses
For more details and options have a look at https://www.iis.net/configreference/system.webserver/security/ipsecurity
Hi,
In case you found the ipSecurity won't worked. Please enable read/write in feature delegation as described here : http://stackoverflow.com/questions/16220819/internal-server-error-with-web-config-ipsecurity
For others that run into this issue. The cause of the issue is that Feature Delegation doesn't allow the feature to be managed by web.config.
To Fix:
Verify that the Feature is enabled for web.config management
In IIS 7, click on the root server Double click Feature Delegation (under management) Scroll down to IPv4 Address and Domain Restrictions Change the delegation to Read/Write (in my case it was Read Only, which was the issue)
is working on a reply...