Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Gordon Saxby 1313 posts 1541 karma points
    Oct 31, 2016 @ 10:39
    Gordon Saxby
    0

    Restrict Admin access by IP address

    Does Umbraco have the ability to restrict Admin access (/umbraco/) by IP address?

    If not, has anyone done so using IIS, or any other method?

  • Casper 59 posts 270 karma points
    Oct 31, 2016 @ 11:36
  • Dave Woestenborghs 3201 posts 10631 karma points MVP 4x admin c-trib
    Oct 31, 2016 @ 11:40
    Dave Woestenborghs
    0

    Hi Casper,

    This will block or allow the whole site based on IP. I think Gordon is only looking for backend blocking.

    Dave

  • Casper 59 posts 270 karma points
    Oct 31, 2016 @ 12:19
    Casper
    0
  • Casper 59 posts 270 karma points
    Oct 31, 2016 @ 12:46
    Casper
    0

    It is also possible to add the restriction in web.config - this works perfectly :)

    <location path="umbraco">
        <system.webServer>
              <security>
                <ipSecurity allowUnlisted="false">
                   <clear/>
                   <add ipAddress="8.8.8.1" allowed="true"/>                 
                </ipSecurity>
              </security>
        </system.webServer>
    </location>
    
  • Gordon Saxby 1313 posts 1541 karma points
    Oct 31, 2016 @ 12:50
    Gordon Saxby
    0

    Wouldn't that also block access to web services and/or API's from the front end?

  • Dave Woestenborghs 3201 posts 10631 karma points MVP 4x admin c-trib
    Oct 31, 2016 @ 12:52
    Dave Woestenborghs
    0

    Hi Casper,

    I think Gordon is right. If you have Umbraco API controllers that you call from the front end these can not be reached.

    That's why we solve it using the IIS rewrite. There we make sure these can be called while the rest of the backoffice is not reachable.

    Dave

  • Casper 59 posts 270 karma points
    Oct 31, 2016 @ 13:01
    Casper
    0

    True, in case of having API controllers needed from the frontend, my suggestion won't be of any help.

  • Casper 59 posts 270 karma points
    Oct 31, 2016 @ 13:11
    Casper
    0

    Just for overkilling the subject - You could restrict access to "umbraco" and then allow access to the paths you need:

    <location path="umbraco/test.html">
        <system.webServer>
              <security>
                <ipSecurity allowUnlisted="true">
                   <clear/>
                </ipSecurity>
              </security>
        </system.webServer>
    </location>
    
  • Dave Woestenborghs 3201 posts 10631 karma points MVP 4x admin c-trib
    Oct 31, 2016 @ 11:39
    Dave Woestenborghs
    3

    Hi Gordon,

    We do something similar where we have a "editor environment" and a "frontend environment". Where the backend can not be opened on the front end, but only on the editor environment. There the allowed IP's are set on the firewall

    We use IIS Rewrite rules for that :

     <rule name="Backoffice access" enabled="true">
              <match url="^umbraco(#/)?(#)?(.*)"/>
              <conditions logicalGrouping="MatchAll">
                <add input="{R:0}" pattern="^umbraco/masterpages/?" ignoreCase="true" negate="true"/>
                <add input="{R:0}" pattern="^umbraco/RestServices/?" ignoreCase="true" negate="true"/>
                <add input="{R:0}" pattern="^umbraco/webservices/?" ignoreCase="true" negate="true"/>
                <add input="{R:0}" pattern="^umbraco/Surface/?" ignoreCase="true" negate="true"/>
    
                <add input="{R:0}" pattern="^umbraco/api/?" ignoreCase="true" negate="true"/>
                <add input="{R:0}" pattern="^umbraco/ping.aspx" ignoreCase="true" negate="true"/>
                <add input="{HTTP_HOST}" pattern="^(editor.myhost.com)$" ignoreCase="true" negate="true"/>
              </conditions>
              <action type="Redirect" url="http://{HTTP_HOST}/"/>
    </rule>
    

    This will rewrite will only allow access to the backend on the hostname http://editor.myhost.com

    You can change this line to do it on IP :

     <add input="{HTTP_HOST}" pattern="^(editor.myhost.com)$" ignoreCase="true" negate="true"/>
    

    to something like this :

      <add input="{REMOTE_ADDR}" pattern="201\.45\.33\.[0-5]" />
    

    to restrict it on IP

    Dave

  • Gordon Saxby 1313 posts 1541 karma points
    Oct 31, 2016 @ 12:19
    Gordon Saxby
    0

    we have a "editor environment" and a "frontend environment"

    Do you mean separate IIS environments? Separate servers?

  • Dave Woestenborghs 3201 posts 10631 karma points MVP 4x admin c-trib
    Oct 31, 2016 @ 12:46
    Dave Woestenborghs
    0

    We have a seperate servers.

  • Bhavesh Jadav 35 posts 144 karma points
    Aug 29, 2017 @ 09:54
    Bhavesh Jadav
    0

    @Dave,

    I am wondering how do you synchronise content, media, document type, templates etc.. between frontend server and editor environment, does it work with Courier or requires some special configuration such as https://msdn.microsoft.com/en-us/library/bb540031(v=vs.85).aspx?

    are you using something such as https://our.umbraco.org/documentation/getting-started/setup/server-setup/load-balancing/flexible-advanced#explicit-master-scheduling-server

  • Dave Woestenborghs 3201 posts 10631 karma points MVP 4x admin c-trib
    Aug 29, 2017 @ 10:11
    Dave Woestenborghs
    0

    hi Bhavesh

    We use the flexible load balancing. This will take care of all data stored in Umbraco database.

    For physical data on the disk (like files from the media library) you need to handle the syncing yourself. Or use something like Azure blobstorage.

    Dave

Please Sign in or register to post replies

Write your reply to:

Draft