1. 技术文章
  2. Restrict access to the Admin side of Orchard CMS by IP

Restrict access to the Admin side of Orchard CMS by IP

蹲街弑〆低调 提交于 2019-12-08 05:25:11

问题


I'm trying to deny access all IPs to the /Admin with a couple exceptions. The Orchard CMS 1.8.1 app is running on IIS 8.5. I'm experimenting with IP Restrictions rule, but it seems to me that is not the right tool, as I could only set access rights on folders not individual pages. (Managed to deny access to TheAdmin theme.)

I've tried the below snippet with no luck:

<location path="Admin">
   <system.webServer>
      <security>
         <ipSecurity allowUnlisted="false">
         </ipSecurity>
      </security>
   </system.webServer>
</location>

http://www.iis.net/configreference/system.webserver/security/ipsecurity

Also tried to create a Virtual Directory for Users/Account/LogOn for the root directory and set its access rights, but that didn't work either.

I was thinking to set URL Rewrites for the /Admin, but not really sure about how to start or what logic should I follow.

Any suggestions?


回答1:


If I understand your motives correctly, I think it would be best to write a filter module, that will give you full control over what will happen under what condition.

[OrchardFeature("FeatureDefinedInModuleTxtManifest")]
public class AdminAccessFilter : FilterProvider, IAuthorizationFilter
{
    private readonly IAuthorizer _authorizer;

    public AdminAccessFilter(IAuthorizer authorizer)
    {
        _authorizer = authorizer;
        Logger = NullLogger.Instance;
    }

    public ILogger Logger { get; set; }

    public void OnAuthorization(AuthorizationContext filterContext)
    {
        if (!AdminFilter.IsApplied(filterContext.RequestContext) || !_authorizer.Authorize(StandardPermissions.AccessAdminPanel))
        {
            // Not an admin area or no permission already, do nothing
            return;
        }

        var request = filterContext.HttpContext.Request;

        var userIp =
            request.ServerVariables["HTTP_X_FORWARDED_FOR"] ?? // Proxy
            request.UserHostAddress;

        if (userIp != "100.100.100.100") // Your logic for denying access
        {
            Logger.Fatal("Unauthorized admin access detected from {0}", userIp);

            filterContext.Result = new HttpUnauthorizedResult();
        }
    }
}


来源:https://stackoverflow.com/questions/30374495/restrict-access-to-the-admin-side-of-orchard-cms-by-ip

标签
orchardcms
iis-8.5
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!