Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Luke Hook 3 posts 73 karma points
    1 week ago
    Luke Hook
    0

    IP Restriction via CMS Field

    Hi all,

    I have a request from a client we are building a basic Umbraco site for. They wish to be able to block/blacklist IP addresses from accessing their site. Usually this is something I would administer through the web.config or a security layer such as CloudFlare but the client wishes to be able to manage this via the CMS.

    If I create a list of user managed IP addresses within the CMS is there a way I can use this to 'block' these IP's from accessing the site.

    To clarify also, they wish to prevent access to the WHOLE site. Both the front end and the umbraco interface. Essentially, the entire domain.

    Any help would be greatly received.

    Thanks, Luke

  • Alex Skrypnyk 4886 posts 17639 karma points MVP 2x admin c-trib
    1 week ago
    Alex Skrypnyk
    0

    Hi Luke

    I would suggest using IP restriction on IIS level like - IIS 8.0 Dynamic IP Address Restrictions - https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-dynamic-ip-address-restrictions

    Thanks,

    Alex

  • Luke Hook 3 posts 73 karma points
    1 week ago
    Luke Hook
    0

    Thanks Alex,

    This is great in principle but the client wishes to have control over this and isn't technically experienced enough to be able to access IIS. I really need them to be able to enter IP addresses in the CMS to blacklist but not sure the best way to implement that.

    Thanks, Luke

  • Nicholas Westby 1833 posts 6022 karma points c-trib
    1 week ago
    Nicholas Westby
    0

    I think when you add the IP restrictions in IIS, it just updates the web.config (I could be wrong). So maybe when you save the content node with the IP addresses, you can create an event handler that will update the web.config accordingly.

    That will cause the site to restart unless you set fcnMode to Disabled (which has a bunch of side effects): https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.fcnmode?view=netframework-4.7.2

  • Nicholas Westby 1833 posts 6022 karma points c-trib
    1 week ago
    Nicholas Westby
    1

    Another option would be an HTTP module: https://www.hanselman.com/blog/AnIPAddressBlockingHttpModuleForASPNETIn9Minutes.aspx

    On publish of the node, you can store the IP addresses to a text file. You could even also sent a notification to the HTTP module to let it know the IP address list has updated. That way, you won't have to read from the file system on every request.

  • Amir Khan 900 posts 1682 karma points
    1 week ago
    Amir Khan
    0

    This might also be one of those times where you would be better off explaining to the client that there are better options :)

Please Sign in or register to post replies

Write your reply to:

Draft