Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Jonathan Roberts 409 posts 1063 karma points
    Feb 10, 2015 @ 16:21
    Jonathan Roberts
    0

    Courier 2 Security using Umbraco 7.2

    Hi,

    We are currently using Umbraco 7.2 and have just purchased the licence for Courier 2.

    We have three sites all on the same server, a UAT, Staging and live site and we wanted to move files, data etc from one site to another. Courier does exactly what we want, which is great.

    However, we cant seem to set up the security in the courier.config file to prevent other sites that have Courier installed on moving files and data up to our sites.

    As a test we have configured each config file to deny all (*) Ipfilters and deny all user filters - for example:

      <security>
    <token></token>
    <filters>
    <ipfilter>
    <deny>*</deny>
     </ipfilter>
     <userfilter>
    <deny>*</deny>
    </userfilter>
     </filters>
    </security>

    but we can still transfer data across the sites. Even the repository login and password doesnt prevent this from happening.

     Are we doing this incorrectly? Or are we missing something? 

    Jon

  • Paul Sterling 718 posts 1534 karma points MVP 9x admin c-trib
    Feb 10, 2015 @ 19:40
    Paul Sterling
    0

    @Johnathan 

    If you leave the <ipfilter><allow></allow> as empty all IP will be denied.  The way it's intended to be used is to add only the IP's you want to allow, the rule for denying all is to leave <allow> empty.  Not sure that's obvious, but that's how it's intended.

  • Jonathan Roberts 409 posts 1063 karma points
    Feb 12, 2015 @ 10:36
    Jonathan Roberts
    0

    Hi,

    Do you have any documentation on how to restrict Ip addresses and users. I would like to restrict this to a single IP address and a single Administrator user. I have tried the following code but this doesnt work and still allows the user to use Courier.

      <security>

        <token></token>

        <filters>

          <ipfilter>

                    <allow>10.XXX.XXX.XXX</allow>

          </ipfilter>

          <userfilter>

            <allow>Administrator</allow>

            <deny>*</deny>

          </userfilter>

        </filters>

     

      </security>

     

    Could you also explain which site (all on the same server) these restrictions need to be applied to eg, we have three sites, a UAT, Staging and Live. Do these settings need to be applied to the site sending the files or the server who is receiving the files?

    These three sites all use the same IP address.

    Thanks for all your help,

    Jon

  • Paul Sterling 718 posts 1534 karma points MVP 9x admin c-trib
    Feb 12, 2015 @ 18:41
    Paul Sterling
    0

    @Johnathan 

    With all sites sharing the same IP the <ipfilter> isn't going to be of much use - though it will prevent courier from a different IP from connecting.  The settings are applied to the target instance.  So if you want to restrict which IPs can connect to your live site, you update the config on the live site, and so on....

    The <userfilter> should allow only the "administrator" user to connect the way you have it set currently.  

    It might be helpful to have a look at how courier does these checks in the shared-source library:  https://github.com/umbraco/Courier/blob/master/Providers/Umbraco.Courier.RepositoryProviders/WebserviceProvider/Security/SecurityHelper.cs

Please Sign in or register to post replies

Write your reply to:

Draft