Restrict Umbraco CMS By IP Address

Updated: May 7, 2014

Ali Taheri

Here's how to restrict the admin section of Umbraco's website by IP address. The code also works if your server is behind a load balancer. All unauthorised requests will be redirected to the no access page.

Here's what to do: 

  1. Install URL Rewrite module on the server.
  2. Create a page called "no-access" in Umbraco's Content section. Give it any name you like.
  3. If your server is behind the load balancer, use {HTTP_X_FORWARDED} as an input otherwise just use {REMOTE_ADDR}.
  4. Finally, add the following snippet in the web.config in the <system.webServer> section.

* If your IP address is, the code will appear as below:

        <rule name="Restrict URL" enabled="true" stopProcessing="true" >
          <match url="^umbraco($|/(?!surface))" />
          <conditions logicalGrouping="MatchAll">

            <!-- Use REMOTE_ADDR if your server is NOT behind load balancer -->
            <add input="{REMOTE_ADDR}" pattern="^112\.21\.55\.156$" negate="true" /> 

            <!-- Use HTTP_X_FORWARDED_FOR if your server is behind a load balancer -->
            <add input="{HTTP_X_FORWARDED_FOR}" pattern="^112.\21\.55\.156$" negate="true" /> 

          <action type="Redirect" url="/no-access/" /> 


comments powered by Disqus

© 2017 - Ali Sheikh Taheri