With the IIS Rewrite module installed, it is fairly easy to lock down the Lucee Web and Server administrative pages by creating a rule in web.config.
<rewrite>
<rules>
<!--- you may have other rules here --->
<rule name="BlockLuceeAdminAccess" patternSyntax="Wildcard" stopProcessing="true">
<match url="lucee/admin*" />
<conditions>
<add input="{REMOTE_ADDR}" pattern="111.111.1.*" negate="true" />
<add input="{REMOTE_ADDR}" pattern="127.0.0.1" negate="true" />
<add input="{REMOTE_ADDR}" pattern="192.168.1.*" negate="true" />
</conditions>
<action type="CustomResponse" statusCode="401" statusReason="Unauthorized: Access is denied due to invalid IP" statusDescription="You do not have permission to view this directory or page from your IP address." />
</rule>
</rules>
</rewrite>
To summarize what this does:
- Checks to see if the URL contains “lucee/admin”
- If it does match the URL, then check the IP address.
- Matching uses wildcards, so 111.111.1.* matches any IP starting with 111.111.1.
- If there are no matches in the <conditions> for your IP address, then it throws a 401 (unauthorized) header.
Some people prefer to throw a 404 error instead, and you could modify the action to do that if you want.
<action type="CustomResponse" statusCode="404" statusReason="File Not Found" statusDescription="File Not Found" />