IIS Rewrite module installed, it is fairly easy to lock down the Lucee Web and Server administrative pages by creating a rule in web.config.
<rewrite> <rules> <!--- you may have other rules here ---> <rule name="BlockLuceeAdminAccess" patternSyntax="Wildcard" stopProcessing="true"> <match url="lucee/admin*" /> <conditions> <add input="{REMOTE_ADDR}" pattern="111.111.1.*" negate="true" /> <add input="{REMOTE_ADDR}" pattern="127.0.0.1" negate="true" /> <add input="{REMOTE_ADDR}" pattern="192.168.1.*" negate="true" /> </conditions> <action type="CustomResponse" statusCode="401" statusReason="Unauthorized: Access is denied due to invalid IP" statusDescription="You do not have permission to view this directory or page from your IP address." /> </rule> </rules> </rewrite>To summarize what this does:
- Checks to see if the URL contains “lucee/admin”
- If it does match the URL, then check the IP address.
- Matching uses wildcards, so 111.111.1.* matches any IP starting with 111.111.1.
- If there are no matches in the <conditions> for your IP address, then it throws a 401 (unauthorized) header.
<action type="CustomResponse" statusCode="404" statusReason="File Not Found" statusDescription="File Not Found" />]]>