Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • Vaidas 22 posts 65 karma points
    Oct 16, 2015 @ 09:22

    Disabling access to umbraco backoffice

    Hey all,

    Is it possible to disable access to umbraco's backoffice while leaving all the surface and api contorllers working? What would be the correct way to achieve this?

    I have 2 copies of the same solution running on the IIS in different websites. One is used as "backend", the other - "frontend". I would like to restrict the access to "frontend"'s /umbraco url aka backoffice.

    Umbraco 7.2.6

  • Dennis Aaen 4427 posts 17860 karma points admin hq c-trib
    Oct 16, 2015 @ 09:51
    Dennis Aaen

    Hi Vaidas,

    Try to check this blogpost out, with this approach the Surface controllers should still work.

    Hope this helps and works for you.


  • Jeavon Leopold 2997 posts 13125 karma points MVP 6x admin c-trib
    Oct 16, 2015 @ 10:50
    Jeavon Leopold

    Yes as Dennis mentioned about using a rewrite rule is the best way, based on the article this is the rule we currently use:

                <!-- Restrict access to Umbraco -->
                <rule name="Restrict access" stopProcessing="true">
                    <match url="umbraco(?!/Surface/)(?!/Api/)(?!/api/)(?!/webservices/)" />
                    <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
                        <add input="{HTTP_HOST}" pattern="(([^.]+)\.)?admin.example\.com" negate="true" />
                    <action type="Redirect" url="/not-found/" appendQueryString="false" />
  • Cristhian Amaya 52 posts 413 karma points
    Sep 14, 2017 @ 10:49
    Cristhian Amaya

    This works perfect! A little improvement is that the regex for the backoffice can be simplified to:

              <match url="^umbraco$" />

    If there's something else after /umbraco (surface, api, etc.) the rule wouldn't be triggered.


  • Vaidas 22 posts 65 karma points
    Oct 16, 2015 @ 12:09

    Thanks! It worked.

  • Trey 14 posts 108 karma points
    Sep 28, 2016 @ 21:46

    Hey All,

    We are trying to set up something similar in our environments, but the links in this thread are no longer active.

    Our particular situation is that we would like to disable access to the back office on our slave servers, but retain their ability to use umbraco/api etc. Ideally we would want to have the /umbraco only url redirect to the master server's /umbraco.

    Could we get an update on this topic?

  • MuirisOG 371 posts 1259 karma points
    Mar 24, 2017 @ 10:54

    Just been looking into this and found the link above is broken, but this is the page you are looking for.

  • John Oxenbridge 3 posts 74 karma points
    Jun 04, 2018 @ 13:40
    John Oxenbridge

    In case anyone is having problems with Umbraco Forms asset files failing to serve when this rule is applied in a split environment, we had to add a "negate condition" to the rule to allow the assets to be served on the public frontend:

    <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
    <add input="{PATH_INFO}" pattern="/App_Plugins/UmbracoForms/Assets/" negate="true" />
Please Sign in or register to post replies

Write your reply to: