Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Nikhil 48 posts 159 karma points
    1 week ago
    Nikhil
    0

    How do I block access to /Umbraco in IIS 10?

    I wish Umbraco had a config flag to switch off access or restrict it to a set of IP addresses.

    I have tried URL rewrite etc... but always see errors. Tried restricting the Umbraco directory access too without success.

    Has anyone successfully done this and how?

  • Huw Reddick 298 posts 944 karma points
    1 week ago
    Huw Reddick
    0

    you should be able to set ip restrictions in your web.config.

    What are the errors you are getting?

  • Nikhil 48 posts 159 karma points
    1 week ago
    Nikhil
    0

    How to deny and allow access certain path/directory/file based on IP Address without changing codes?

    Would this work? It says that generally these should be applied at the site level and not the folder or file level.

  • Nikhil 48 posts 159 karma points
    1 week ago
    Nikhil
    0

    The last time I setup IP restrictions for the Umbraco folder we were seeing files not getting saved and 403s for the whole Umbraco login page.

  • Huw Reddick 298 posts 944 karma points
    1 week ago
    Huw Reddick
    100

    what url's were you restricting access to?

    This is what I use and not had any issues so far

    <rewrite>
      <rules>
        <rule name="Ignore" stopProcessing="true">
          <match url="^(?:umbraco/api|umbraco/surface|umbraco/backoffice)/" />
          <action type="None" />
        </rule>
        <rule name="Allowed IPs" stopProcessing="true">
          <match url="^(?:app_plugins|config|umbraco)(?:/|$)" />
          <conditions>
            <add input="{REMOTE_ADDR}" negate="true" pattern="::1|127.0.0.1| etc." />
            <add input="{HTTP_X_FORWARDED_FOR}" pattern="some ip's" negate="true" />
          </conditions>
          <action type="AbortRequest" />
        </rule>
      </rules>
    </rewrite>
    
  • Nikhil 48 posts 159 karma points
    1 week ago
    Nikhil
    0
        <add input="{REMOTE_ADDR}" negate="true" pattern="::1|127.0.0.1| etc." />
        <add input="{HTTP_X_FORWARDED_FOR}" pattern="some ip's" negate="true" />
    

    For "REMOTEADDR" and "HTTPXFORWARDEDFOR" I would add IP addresses as "IP1|IP2|IP3" and this would allow access. Am I right?

    "HTTPXFORWARDED_FOR" - Would this work when your site is behind a Microsoft Application Gateway V1? The V1 does not have the facility to remove port numbers from the IP addresses.

  • Huw Reddick 298 posts 944 karma points
    1 week ago
    Huw Reddick
    1

    first part of your question, yes, add the IP's as you suggest to allow access.

    can't answer your second question specifically as not used Microsoft application gateway, but it may work, it is for exposing the originating callers ip when behind a proxy or load balancing

  • Nikhil 48 posts 159 karma points
    1 week ago
    Nikhil
    0

    Thank you. I am trying this out. I have also added:

    <denyUrlSequences>
    <add sequence=":" />
    <add sequence="^(.*)//+(.*)$" />
    <add sequence="w00tw00t.at.blackhats.romanian.anti-sec:)" />
    <add sequence=".." />
    

    Any other ones you use?

  • [email protected] 378 posts 1915 karma points MVP 4x c-trib
    1 week ago
    jeffrey@umarketingsuite.com
    2

    Hi Nikhil,

    there's some excellent documentation available: https://our.umbraco.com/documentation/Reference/Security/Security-hardening/

    Kindest regards, Jeffrey

  • Nikhil 48 posts 159 karma points
    1 week ago
    Nikhil
    0

    Thank you. I am trying this out. I have also added:

    <denyUrlSequences>
    <add sequence=":" />
    <add sequence="^(.*)//+(.*)$" />
    <add sequence="w00tw00t.at.blackhats.romanian.anti-sec:)" />
    <add sequence=".." />
    

    Any other ones you use?

Please Sign in or register to post replies

Write your reply to:

Draft