how do i block access to umbraco in iis 10 - Using Umbraco and getting started

Go to solution

Press Ctrl / CMD + C to copy this to your clipboard.

Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

Nikhil 54 posts 166 karma points

Feb 23, 2021 @ 09:11

0

How do I block access to /Umbraco in IIS 10?

I wish Umbraco had a config flag to switch off access or restrict it to a set of IP addresses.

I have tried URL rewrite etc... but always see errors. Tried restricting the Umbraco directory access too without success.

Has anyone successfully done this and how?

Copy Link
Huw Reddick 1929 posts 6697 karma points MVP 2x c-trib

Feb 23, 2021 @ 09:30

0

you should be able to set ip restrictions in your web.config.

What are the errors you are getting?

Copy Link
Nikhil 54 posts 166 karma points

Feb 23, 2021 @ 09:36

0

How to deny and allow access certain path/directory/file based on IP Address without changing codes?

Would this work? It says that generally these should be applied at the site level and not the folder or file level.

Copy Link
Nikhil 54 posts 166 karma points

Feb 23, 2021 @ 09:45

1

The last time I setup IP restrictions for the Umbraco folder we were seeing files not getting saved and 403s for the whole Umbraco login page.

Copy Link

Huw Reddick 1929 posts 6697 karma points MVP 2x c-trib

Feb 23, 2021 @ 10:54

what url's were you restricting access to?

This is what I use and not had any issues so far

<rewrite>
  <rules>
    <rule name="Ignore" stopProcessing="true">
      <match url="^(?:umbraco/api|umbraco/surface|umbraco/backoffice)/" />
      <action type="None" />
    </rule>
    <rule name="Allowed IPs" stopProcessing="true">
      <match url="^(?:app_plugins|config|umbraco)(?:/|$)" />
      <conditions>
        <add input="{REMOTE_ADDR}" negate="true" pattern="::1|127.0.0.1| etc." />
        <add input="{HTTP_X_FORWARDED_FOR}" pattern="some ip's" negate="true" />
      </conditions>
      <action type="AbortRequest" />
    </rule>
  </rules>
</rewrite>

Copy Link

Nikhil 54 posts 166 karma points

Feb 23, 2021 @ 11:12
0
```
    <add input="{REMOTE_ADDR}" negate="true" pattern="::1|127.0.0.1| etc." />
    <add input="{HTTP_X_FORWARDED_FOR}" pattern="some ip's" negate="true" />
```
For "REMOTEADDR" and "HTTPXFORWARDEDFOR" I would add IP addresses as "IP1|IP2|IP3" and this would allow access. Am I right?

"HTTPXFORWARDED_FOR" - Would this work when your site is behind a Microsoft Application Gateway V1? The V1 does not have the facility to remove port numbers from the IP addresses.
Copy Link
Huw Reddick 1929 posts 6697 karma points MVP 2x c-trib

Feb 23, 2021 @ 13:20

1

first part of your question, yes, add the IP's as you suggest to allow access.

can't answer your second question specifically as not used Microsoft application gateway, but it may work, it is for exposing the originating callers ip when behind a proxy or load balancing

Copy Link
Nikhil 54 posts 166 karma points

Feb 23, 2021 @ 16:22
0
Thank you. I am trying this out. I have also added:
```
<denyUrlSequences>
<add sequence=":" />
<add sequence="^(.*)//+(.*)$" />
<add sequence="w00tw00t.at.blackhats.romanian.anti-sec:)" />
<add sequence=".." />
```
Any other ones you use?
Copy Link
[email protected] 408 posts 2137 karma points MVP 8x c-trib

Feb 23, 2021 @ 15:05

2

Hi Nikhil,

there's some excellent documentation available: https://our.umbraco.com/documentation/Reference/Security/Security-hardening/

Kindest regards, Jeffrey

Copy Link
Nikhil 54 posts 166 karma points

Feb 23, 2021 @ 16:22
0
Thank you. I am trying this out. I have also added:
```
<denyUrlSequences>
<add sequence=":" />
<add sequence="^(.*)//+(.*)$" />
<add sequence="w00tw00t.at.blackhats.romanian.anti-sec:)" />
<add sequence=".." />
```
Any other ones you use?
Copy Link
is working on a reply...

Please Sign in or register to post replies

Flag this post as spam?

How do I block access to /Umbraco in IIS 10?