Home > Blog > 2015 > 07

All Posts From : July 2015

Protecting Your Admin URL With IIS Rewrite

If you have an Umbraco site that's load balanced, you may have a dedicated admin sub-domain to force your users to use the primary server (e.g. admin.yourdomain.com). That being the case, you may also want to lock that domain down so not just anyone can access it.

You COULD do that with IP restrictions in IIS, but that doesn't allow for the client wanting to work on a train, or in a coffee shop, or for you needing to jump onto the site away from the office in case of emergency.

I came up with a simple solution that uses IIS Rewrite. You can use IIS Rewrite to check the value of cookies, so on the admin site, we allow access only to the /umbraco/ URL so that you can log in. Any other URL will result in you being redirected to the primary domain. The rule checks for the presence of the UMB_UCONTEXT cookie that's set by the back office, and if it's set, it allows you to access the rest of the admin site. Simples!

Here's an example of the rule:

<rule name="AdminLockout" stopProcessing="true">
                   <match url="(.*)" />
                        <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true"/>
                        <add input="{URL}" pattern="(favicon\.ico|umbraco|webresource|scriptresource)" negate="true"/>
                        <add input="{HTTP_COOKIE}" pattern="UMB_UCONTEXT=(\b[A-F0-9]{8}(?:-[A-F0-9]{4}){3}-[A-F0-9]{12}\b)" negate="true" />
                        <add input="{HTTP_HOST}" pattern="^admin\.mysite\.co\.uk" />
                   <action type="Redirect" url="http://www.mysite.co.uk/{R:1}" appendQueryString="true" />