I have a request from a client we are building a basic Umbraco site for. They wish to be able to block/blacklist IP addresses from accessing their site. Usually this is something I would administer through the web.config or a security layer such as CloudFlare but the client wishes to be able to manage this via the CMS.
If I create a list of user managed IP addresses within the CMS is there a way I can use this to 'block' these IP's from accessing the site.
To clarify also, they wish to prevent access to the WHOLE site. Both the front end and the umbraco interface. Essentially, the entire domain.
This is great in principle but the client wishes to have control over this and isn't technically experienced enough to be able to access IIS. I really need them to be able to enter IP addresses in the CMS to blacklist but not sure the best way to implement that.
I think when you add the IP restrictions in IIS, it just updates the web.config (I could be wrong). So maybe when you save the content node with the IP addresses, you can create an event handler that will update the web.config accordingly.
On publish of the node, you can store the IP addresses to a text file. You could even also sent a notification to the HTTP module to let it know the IP address list has updated. That way, you won't have to read from the file system on every request.
IP Restriction via CMS Field
Hi all,
I have a request from a client we are building a basic Umbraco site for. They wish to be able to block/blacklist IP addresses from accessing their site. Usually this is something I would administer through the web.config or a security layer such as CloudFlare but the client wishes to be able to manage this via the CMS.
If I create a list of user managed IP addresses within the CMS is there a way I can use this to 'block' these IP's from accessing the site.
To clarify also, they wish to prevent access to the WHOLE site. Both the front end and the umbraco interface. Essentially, the entire domain.
Any help would be greatly received.
Thanks, Luke
Hi Luke
I would suggest using IP restriction on IIS level like - IIS 8.0 Dynamic IP Address Restrictions - https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-dynamic-ip-address-restrictions
Thanks,
Alex
Thanks Alex,
This is great in principle but the client wishes to have control over this and isn't technically experienced enough to be able to access IIS. I really need them to be able to enter IP addresses in the CMS to blacklist but not sure the best way to implement that.
Thanks, Luke
I think when you add the IP restrictions in IIS, it just updates the web.config (I could be wrong). So maybe when you save the content node with the IP addresses, you can create an event handler that will update the web.config accordingly.
That will cause the site to restart unless you set fcnMode to Disabled (which has a bunch of side effects): https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.fcnmode?view=netframework-4.7.2
Another option would be an HTTP module: https://www.hanselman.com/blog/AnIPAddressBlockingHttpModuleForASPNETIn9Minutes.aspx
On publish of the node, you can store the IP addresses to a text file. You could even also sent a notification to the HTTP module to let it know the IP address list has updated. That way, you won't have to read from the file system on every request.
This might also be one of those times where you would be better off explaining to the client that there are better options :)
is working on a reply...