Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • chris 68 posts 90 karma points
    May 12, 2010 @ 01:56
    chris
    0

    Prevent external access to /umbraco

    I have umbraco up and running, now I'd like to prevent http://servername.com/umbraco/# from the internet. This is umbraco 4.0.3 on Win 2008 IIS7. The IP4 block in IIS7 doesn't seem to be able to prevent access to the admin page. I'd prefer not to rename the /umbraco folder at all.

    Is there a way that I can do this?

  • Tizer 170 posts 201 karma points
    May 12, 2010 @ 03:24
    Tizer
    0

    htaccess?

    Sorry - if I'm way off the mark... just moved over from apache

  • Aaron Powell 1708 posts 3043 karma points c-trib
    May 12, 2010 @ 05:45
    Aaron Powell
    0

    I believe you can use the htaccess (or it's IIS equivalent) to do this.

    Or you could write a HttpModule to do it.

  • Petr Snobelt 923 posts 1532 karma points
    May 12, 2010 @ 08:46
  • chris 68 posts 90 karma points
    May 12, 2010 @ 17:53
    chris
    0

    Hi Petr, ipsecurity element is the IP4 block that I already mentioned above which does not work. I guess there is no way to prevent logging in to the admin page from external.

  • chris 68 posts 90 karma points
    May 12, 2010 @ 17:55
    chris
    0

    Is there a way I can change the default port for the admin login? this would be an easier work around.

  • Masood Afzal 176 posts 522 karma points
    May 12, 2010 @ 18:25
    Masood Afzal
    0

    Not sure but may be it works

      <location path="umbraco">
      <system.web>
      <authorization>
       <deny users ="?" />
      </authorization>
      </system.web>
      </location>
  • Petr Snobelt 923 posts 1532 karma points
    May 12, 2010 @ 21:43
    Petr Snobelt
    0

    You can rename login.aspx to something else and add "fake" default.aspx which redirect to google...

  • Petr Snobelt 923 posts 1532 karma points
    May 12, 2010 @ 21:45
    Petr Snobelt
    0

    You also can add your own logic to default.aspx, which redirect only internet users to something like not authorized ....

  • Steen Tøttrup 191 posts 291 karma points c-trib
    May 13, 2010 @ 11:42
    Steen Tøttrup
    0

    mmm... IP4 address restrictions should work, I you put them on the folder, and remember to set it to DENY ALL as default. Could you put up a screenshot of the settings you have on the folder?

     

  • chris 68 posts 90 karma points
    May 13, 2010 @ 17:52
    chris
    0

    IP4 address restriction will not work, since this will block everything. I don't want to block everything, just people outside the firewall, but still allow inside people to get in. Inside firewall there are public IP addresses, which is why the filtering won't work.

    Renaming the login.aspx as Petr suggested might work and easiest; I can let others use different name to manage contents. Is there potential problem by renaming the login.aspx, like other modules might use it?

  • Sebastiaan Janssen 4880 posts 14554 karma points MVP admin hq
    May 13, 2010 @ 17:55
    Sebastiaan Janssen
    0

    The problem would be that people could still guess the new URL.

    How about plain old IIS authentication? Go to your site in IIS, click on the /umbraco folder and go to "Authentication". Disable anonymous authentication and enable some other form of authentication. That way it will only work on the /umbraco folder.

  • Jeff Grine 149 posts 189 karma points
    May 13, 2010 @ 18:06
    Jeff Grine
    0

    If it's only internal, could you use an internal ip that wouldn't get any traffic from outside the firewall?

  • Steen Tøttrup 191 posts 291 karma points c-trib
    May 13, 2010 @ 20:10
    Steen Tøttrup
    0

    Why on earth do you have ppl with public IP numbers on your internal network, behind the firewall?

    Well no idea then, unless you will add the IP addresses (with network masks).

     

    regards,

    Steen

  • chris 68 posts 90 karma points
    Jun 14, 2010 @ 22:15
    chris
    0

    I decided to just renamed the aspx, it's just the easiest.

  • John 18 posts 74 karma points c-trib
    Feb 17, 2016 @ 08:24
    John
    0

    This code (IIS 7.5+) will show it as not found for unlisted IP addresses

     <location path="umbraco">
      <system.webServer>
        <security>
          <ipSecurity allowUnlisted="false" denyAction="NotFound">
          </ipSecurity> 
        </security>
      </system.webServer>
    </location>
    

    For more details and options have a look at https://www.iis.net/configreference/system.webserver/security/ipsecurity

  • Yitro Kurniawan 2 posts 22 karma points
    Jun 17, 2016 @ 03:25
    Yitro Kurniawan
    0

    Hi,

    In case you found the ipSecurity won't worked. Please enable read/write in feature delegation as described here : http://stackoverflow.com/questions/16220819/internal-server-error-with-web-config-ipsecurity

    For others that run into this issue. The cause of the issue is that Feature Delegation doesn't allow the feature to be managed by web.config.

    To Fix:

    Verify that the Feature is enabled for web.config management

    In IIS 7, click on the root server Double click Feature Delegation (under management) Scroll down to IPv4 Address and Domain Restrictions Change the delegation to Read/Write (in my case it was Read Only, which was the issue)

Please Sign in or register to post replies

Write your reply to:

Draft