Start | Blogs | Umbraco | Whitelist Umbraco back office



How to whitelist Umbraco back office

Don't want anyone being able to surf to your Umbraco back office in production? I have the solution. Simply go to your web.config file and paste in this:

<location path="umbraco">
<ipSecurity allowUnlisted="false" denyAction="Forbidden">
<add allowed="true" ipAddress="{your ip}" />

where {your ip} is the ip address to your computer. So let's say your ip address is, the field should look like this:

<add allowed="true" ipAddress="" />.


<location path="umbraco>

at the start means that everything below is about the url path /umbraco on the site. If the url to your back office is something other than umbraco, you have to change it to the path you have.

Transform the IP address
Since my website is open source, including the web.config, I don't want my IP addresses exposed. My (sort of dirty) solution is to use powershell to "transform" my ip addresses. What I have done is to have variables for my devices IP addresses like so:

<add allowed="true" ipAddress="$(allowedIpAddress1)" />
<add allowed="true" ipAddress="$(allowedIpAddress2)" />
<add allowed="true" ipAddress="$(allowedIpAddress3)" />

and in Azure Pipelines -> Release -> Tasks -> Deploy Azure Web Service ->  Post Deployment Action -> Inline Script, I use bash commands to find the variables and replace them with the ip addresses for my devices, like so:

sed -i -e 's/$(allowedIpAddress1)/{ip address 1}/g' Web.config
sed -i -e 's/$(allowedIpAddress2)/{ip address 2}/g' Web.config
sed -i -e 's/$(allowedIpAddress3)/{ip address 3}/g' Web.config

This will transform the variables to my ip addresses after the deployment is completed.