Web Trenches

Locking Down the Lucee Admin by IP Address on IIS



IIS Rewrite module installed, it is fairly easy to lock down the Lucee Web and Server administrative pages by creating a rule in web.config.

<rewrite>
    <rules>
        <!--- you may have other rules here --->
        <rule name="BlockLuceeAdminAccess" patternSyntax="Wildcard" stopProcessing="true">
            <match url="lucee/admin*" />
            <conditions>
                <add input="{REMOTE_ADDR}" pattern="111.111.1.*" negate="true" />
                <add input="{REMOTE_ADDR}" pattern="127.0.0.1" negate="true" />
                <add input="{REMOTE_ADDR}" pattern="192.168.1.*" negate="true" />
            </conditions>
            <action type="CustomResponse" statusCode="401" statusReason="Unauthorized: Access is denied due to invalid IP" statusDescription="You do not have permission to view this directory or page from your IP address." />
        </rule>
    </rules>
</rewrite>
To summarize what this does:
  • Checks to see if the URL contains “lucee/admin”
  • If it does match the URL, then check the IP address.
    • Matching uses wildcards, so 111.111.1.* matches any IP starting with 111.111.1.
  • If there are no matches in the <conditions> for your IP address, then it throws a 401 (unauthorized) header.
Some people prefer to throw a 404 error instead, and you could modify the action to do that if you want.
<action type="CustomResponse" statusCode="404" statusReason="File Not Found" statusDescription="File Not Found" />
 ]]>

Leave a Reply

Your email address will not be published. Required fields are marked *