Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Nikhil 54 posts 166 karma points
    Feb 23, 2021 @ 09:11
    Nikhil
    0

    How do I block access to /Umbraco in IIS 10?

    I wish Umbraco had a config flag to switch off access or restrict it to a set of IP addresses.

    I have tried URL rewrite etc... but always see errors. Tried restricting the Umbraco directory access too without success.

    Has anyone successfully done this and how?

  • Huw Reddick 1929 posts 6697 karma points MVP 2x c-trib
    Feb 23, 2021 @ 09:30
    Huw Reddick
    0

    you should be able to set ip restrictions in your web.config.

    What are the errors you are getting?

  • Nikhil 54 posts 166 karma points
    Feb 23, 2021 @ 09:36
    Nikhil
    0

    How to deny and allow access certain path/directory/file based on IP Address without changing codes?

    Would this work? It says that generally these should be applied at the site level and not the folder or file level.

  • Nikhil 54 posts 166 karma points
    Feb 23, 2021 @ 09:45
    Nikhil
    1

    The last time I setup IP restrictions for the Umbraco folder we were seeing files not getting saved and 403s for the whole Umbraco login page.

  • Huw Reddick 1929 posts 6697 karma points MVP 2x c-trib
    Feb 23, 2021 @ 10:54
    Huw Reddick
    100

    what url's were you restricting access to?

    This is what I use and not had any issues so far

    <rewrite>
      <rules>
        <rule name="Ignore" stopProcessing="true">
          <match url="^(?:umbraco/api|umbraco/surface|umbraco/backoffice)/" />
          <action type="None" />
        </rule>
        <rule name="Allowed IPs" stopProcessing="true">
          <match url="^(?:app_plugins|config|umbraco)(?:/|$)" />
          <conditions>
            <add input="{REMOTE_ADDR}" negate="true" pattern="::1|127.0.0.1| etc." />
            <add input="{HTTP_X_FORWARDED_FOR}" pattern="some ip's" negate="true" />
          </conditions>
          <action type="AbortRequest" />
        </rule>
      </rules>
    </rewrite>
    
  • Nikhil 54 posts 166 karma points
    Feb 23, 2021 @ 11:12
    Nikhil
    0
        <add input="{REMOTE_ADDR}" negate="true" pattern="::1|127.0.0.1| etc." />
        <add input="{HTTP_X_FORWARDED_FOR}" pattern="some ip's" negate="true" />
    

    For "REMOTEADDR" and "HTTPXFORWARDEDFOR" I would add IP addresses as "IP1|IP2|IP3" and this would allow access. Am I right?

    "HTTPXFORWARDED_FOR" - Would this work when your site is behind a Microsoft Application Gateway V1? The V1 does not have the facility to remove port numbers from the IP addresses.

  • Huw Reddick 1929 posts 6697 karma points MVP 2x c-trib
    Feb 23, 2021 @ 13:20
    Huw Reddick
    1

    first part of your question, yes, add the IP's as you suggest to allow access.

    can't answer your second question specifically as not used Microsoft application gateway, but it may work, it is for exposing the originating callers ip when behind a proxy or load balancing

  • Nikhil 54 posts 166 karma points
    Feb 23, 2021 @ 16:22
    Nikhil
    0

    Thank you. I am trying this out. I have also added:

    <denyUrlSequences>
    <add sequence=":" />
    <add sequence="^(.*)//+(.*)$" />
    <add sequence="w00tw00t.at.blackhats.romanian.anti-sec:)" />
    <add sequence=".." />
    

    Any other ones you use?

  • [email protected] 408 posts 2137 karma points MVP 8x c-trib
    Feb 23, 2021 @ 15:05
    jeffrey@umarketingsuite.com
    2

    Hi Nikhil,

    there's some excellent documentation available: https://our.umbraco.com/documentation/Reference/Security/Security-hardening/

    Kindest regards, Jeffrey

  • Nikhil 54 posts 166 karma points
    Feb 23, 2021 @ 16:22
    Nikhil
    0

    Thank you. I am trying this out. I have also added:

    <denyUrlSequences>
    <add sequence=":" />
    <add sequence="^(.*)//+(.*)$" />
    <add sequence="w00tw00t.at.blackhats.romanian.anti-sec:)" />
    <add sequence=".." />
    

    Any other ones you use?

Please Sign in or register to post replies

Write your reply to:

Draft