restrict admin access by ip address

Press Ctrl / CMD + C to copy this to your clipboard.

Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

Gordon Saxby 1444 posts 1855 karma points

Oct 31, 2016 @ 10:39

0

Restrict Admin access by IP address

Using Umbraco And Getting Started

Umbraco 7

Does Umbraco have the ability to restrict Admin access (/umbraco/) by IP address?

If not, has anyone done so using IIS, or any other method?

Copy Link
Casper 70 posts 308 karma points

Oct 31, 2016 @ 11:36

0

https://www.iis.net/configreference/system.webserver/security/ipsecurity

Copy Link
Dave Woestenborghs 3504 posts 12133 karma points MVP 8x admin c-trib

Oct 31, 2016 @ 11:40

0

Hi Casper,

This will block or allow the whole site based on IP. I think Gordon is only looking for backend blocking.

Dave

Copy Link
Casper 70 posts 308 karma points

Oct 31, 2016 @ 12:19

0

Hi Dave,

Check this out. I have been able to do the same thing :)

http://serverfault.com/questions/605398/iis-access-control-by-ip-address-for-specific-files-and-folders

Copy Link

Casper 70 posts 308 karma points

Oct 31, 2016 @ 12:46

It is also possible to add the restriction in web.config - this works perfectly :)

<location path="umbraco">
    <system.webServer>
          <security>
            <ipSecurity allowUnlisted="false">
               <clear/>
               <add ipAddress="8.8.8.1" allowed="true"/>                 
            </ipSecurity>
          </security>
    </system.webServer>
</location>

Copy Link

Gordon Saxby 1444 posts 1855 karma points

Oct 31, 2016 @ 12:50

0

Wouldn't that also block access to web services and/or API's from the front end?

Copy Link
Dave Woestenborghs 3504 posts 12133 karma points MVP 8x admin c-trib

Oct 31, 2016 @ 12:52

0

Hi Casper,

I think Gordon is right. If you have Umbraco API controllers that you call from the front end these can not be reached.

That's why we solve it using the IIS rewrite. There we make sure these can be called while the rest of the backoffice is not reachable.

Dave

Copy Link
Casper 70 posts 308 karma points

Oct 31, 2016 @ 13:01

0

True, in case of having API controllers needed from the frontend, my suggestion won't be of any help.

Copy Link

Casper 70 posts 308 karma points

Oct 31, 2016 @ 13:11

Just for overkilling the subject - You could restrict access to "umbraco" and then allow access to the paths you need:

<location path="umbraco/test.html">
    <system.webServer>
          <security>
            <ipSecurity allowUnlisted="true">
               <clear/>
            </ipSecurity>
          </security>
    </system.webServer>
</location>

Copy Link

Dave Woestenborghs 3504 posts 12133 karma points MVP 8x admin c-trib

Oct 31, 2016 @ 11:39

Hi Gordon,

We do something similar where we have a "editor environment" and a "frontend environment". Where the backend can not be opened on the front end, but only on the editor environment. There the allowed IP's are set on the firewall

We use IIS Rewrite rules for that :

 <rule name="Backoffice access" enabled="true">
          <match url="^umbraco(#/)?(#)?(.*)"/>
          <conditions logicalGrouping="MatchAll">
            <add input="{R:0}" pattern="^umbraco/masterpages/?" ignoreCase="true" negate="true"/>
            <add input="{R:0}" pattern="^umbraco/RestServices/?" ignoreCase="true" negate="true"/>
            <add input="{R:0}" pattern="^umbraco/webservices/?" ignoreCase="true" negate="true"/>
            <add input="{R:0}" pattern="^umbraco/Surface/?" ignoreCase="true" negate="true"/>

            <add input="{R:0}" pattern="^umbraco/api/?" ignoreCase="true" negate="true"/>
            <add input="{R:0}" pattern="^umbraco/ping.aspx" ignoreCase="true" negate="true"/>
            <add input="{HTTP_HOST}" pattern="^(editor.myhost.com)$" ignoreCase="true" negate="true"/>
          </conditions>
          <action type="Redirect" url="http://{HTTP_HOST}/"/>
</rule>

This will rewrite will only allow access to the backend on the hostname http://editor.myhost.com

You can change this line to do it on IP :

 <add input="{HTTP_HOST}" pattern="^(editor.myhost.com)$" ignoreCase="true" negate="true"/>

to something like this :

  <add input="{REMOTE_ADDR}" pattern="201\.45\.33\.[0-5]" />

to restrict it on IP

Dave

Copy Link

Gordon Saxby 1444 posts 1855 karma points

Oct 31, 2016 @ 12:19

0

we have a "editor environment" and a "frontend environment"

Do you mean separate IIS environments? Separate servers?

Copy Link
Dave Woestenborghs 3504 posts 12133 karma points MVP 8x admin c-trib

Oct 31, 2016 @ 12:46

0

We have a seperate servers.

Copy Link
Bhavesh Jadav 35 posts 144 karma points

Aug 29, 2017 @ 09:54

0

@Dave,

I am wondering how do you synchronise content, media, document type, templates etc.. between frontend server and editor environment, does it work with Courier or requires some special configuration such as https://msdn.microsoft.com/en-us/library/bb540031(v=vs.85).aspx?

are you using something such as https://our.umbraco.org/documentation/getting-started/setup/server-setup/load-balancing/flexible-advanced#explicit-master-scheduling-server

Copy Link
Dave Woestenborghs 3504 posts 12133 karma points MVP 8x admin c-trib

Aug 29, 2017 @ 10:11

0

hi Bhavesh

We use the flexible load balancing. This will take care of all data stored in Umbraco database.

For physical data on the disk (like files from the media library) you need to handle the syncing yourself. Or use something like Azure blobstorage.

Dave

Copy Link
is working on a reply...

Please Sign in or register to post replies

Flag this post as spam?