We are currently using Umbraco 7.2 and have just purchased the licence for Courier 2.
We have three sites all on the same server, a UAT, Staging and live site and we wanted to move files, data etc from one site to another. Courier does exactly what we want, which is great.
However, we cant seem to set up the security in the courier.config file to prevent other sites that have Courier installed on moving files and data up to our sites.
As a test we have configured each config file to deny all (*) Ipfilters and deny all user filters - for example:
If you leave the <ipfilter><allow></allow> as empty all IP will be denied. The way it's intended to be used is to add only the IP's you want to allow, the rule for denying all is to leave <allow> empty. Not sure that's obvious, but that's how it's intended.
Do you have any documentation on how to restrict Ip addresses and users. I would like to restrict this to a single IP address and a single Administrator user. I have tried the following code but this doesnt work and still allows the user to use Courier.
<security>
<token></token>
<filters>
<ipfilter>
<allow>10.XXX.XXX.XXX</allow>
</ipfilter>
<userfilter>
<allow>Administrator</allow>
<deny>*</deny>
</userfilter>
</filters>
</security>
Could you also explain which site (all on the same server) these restrictions need to be applied to eg, we have three sites, a UAT, Staging and Live. Do these settings need to be applied to the site sending the files or the server who is receiving the files?
With all sites sharing the same IP the <ipfilter> isn't going to be of much use - though it will prevent courier from a different IP from connecting. The settings are applied to the target instance. So if you want to restrict which IPs can connect to your live site, you update the config on the live site, and so on....
The <userfilter> should allow only the "administrator" user to connect the way you have it set currently.
Courier 2 Security using Umbraco 7.2
Hi,
We are currently using Umbraco 7.2 and have just purchased the licence for Courier 2.
We have three sites all on the same server, a UAT, Staging and live site and we wanted to move files, data etc from one site to another. Courier does exactly what we want, which is great.
However, we cant seem to set up the security in the courier.config file to prevent other sites that have Courier installed on moving files and data up to our sites.
As a test we have configured each config file to deny all (*) Ipfilters and deny all user filters - for example:
<security>
<token></token>
<filters>
<ipfilter>
<deny>*</deny>
</ipfilter>
<userfilter>
<deny>*</deny>
</userfilter>
</filters>
</security>
but we can still transfer data across the sites. Even the repository login and password doesnt prevent this from happening.
Are we doing this incorrectly? Or are we missing something?
Jon
@Johnathan
If you leave the <ipfilter><allow></allow> as empty all IP will be denied. The way it's intended to be used is to add only the IP's you want to allow, the rule for denying all is to leave <allow> empty. Not sure that's obvious, but that's how it's intended.
Hi,
Do you have any documentation on how to restrict Ip addresses and users. I would like to restrict this to a single IP address and a single Administrator user. I have tried the following code but this doesnt work and still allows the user to use Courier.
<security>
<token></token>
<filters>
<ipfilter>
<allow>10.XXX.XXX.XXX</allow>
</ipfilter>
<userfilter>
<allow>Administrator</allow>
<deny>*</deny>
</userfilter>
</filters>
</security>
Could you also explain which site (all on the same server) these restrictions need to be applied to eg, we have three sites, a UAT, Staging and Live. Do these settings need to be applied to the site sending the files or the server who is receiving the files?
These three sites all use the same IP address.
Thanks for all your help,
Jon
@Johnathan
With all sites sharing the same IP the <ipfilter> isn't going to be of much use - though it will prevent courier from a different IP from connecting. The settings are applied to the target instance. So if you want to restrict which IPs can connect to your live site, you update the config on the live site, and so on....
The <userfilter> should allow only the "administrator" user to connect the way you have it set currently.
It might be helpful to have a look at how courier does these checks in the shared-source library: https://github.com/umbraco/Courier/blob/master/Providers/Umbraco.Courier.RepositoryProviders/WebserviceProvider/Security/SecurityHelper.cs
is working on a reply...