如何保护 Elmah.axd 的安全?

发布于 2024-10-06 19:41:21 字数 247 浏览 6 评论 0 原文

我们正在使用 Elmah 作为即将投入生产的应用程序的错误日志系统。它非常有用,但如果它像这样投入生产,世界上任何人都可以访问错误日志,因为他们所要做的就是访问 ourdomain.com/elmah.axd

这显然并不理想。我最初打算将对该页面的访问限制为我们公司内的 IP 地址,但现在我们的系统管理员说这是不可能的。所以我在这里问如何阻止访问此资源?

我们在 IIS 6 上运行 ASP.NET MVC 应用程序。

We're using Elmah as our error logging system for an app that will be going into production soon. It's extremely useful, but if it goes into production like this anyone in the world access the error log because all they have to do is visit ourdomain.com/elmah.axd.

This is obviously not ideal. I originally intended to restrict access to that page only to IP addresses within our company, but now our SysAdmins are saying that's not possible. So I'm asking here how can I prevent access to this resource?

We running an ASP.NET MVC app on IIS 6.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(7

梦屿孤独相伴 2024-10-13 19:41:21

保护 elmah.axd 的典型场景是仅允许某些经过身份验证的用户能够访问它。但如果您的网站根本不使用任何身份验证,则这可能不适用。

我建议您这样做:

  1. 完全禁用主站点上的 elmah.axd 处理程序
  2. 配置 elmah 将日志写入某些共享数据源(例如共享文件、SQLite)数据库甚至 SQL Server)
  3. 在 IIS 中配置第二个站点(可能位于另一个网络或服务器上),该站点仅安装了 elmah 并且指向相同的共享数据源。现在您将始终使用第二个站点来读取日志。显然,第二个站点只有您可以访问。

如果您决定使用 SQL Server,您甚至可以从一个只能由您访问的单个内部应用程序中读取在场中多个 Web 服务器上运行的多个应用程序的日志。

The typical scenario for securing elmah.axd is allowing only some authenticated user to be able to access it. But if your site doesn't use any authentication at all this might not be applicable.

Here's what I would recommend you:

  1. Disable completely the elmah.axd handler on your main site
  2. Configure elmah to write the logs to some shared data source (like a shared file, SQLite database or even SQL Server)
  3. Configure a second site in IIS, probably on another network or server, which has only elmah installed and which points to this same shared data source. Now you would always use the second site to read the logs. Obviously the second site would only be accessible to you.

If you decide to use SQL Server you could even read the logs of multiple applications running on multiple web servers in a farm from within a single internal application accessible only to you.

漫雪独思 2024-10-13 19:41:21

我发现这对于 MVC 应用程序来说是最可接受的:

http ://www.beletsky.net/2011/03/integrating-elmah-to-aspnet-mvc-in.html

I found this is most acceptable for MVC applications:

http://www.beletsky.net/2011/03/integrating-elmah-to-aspnet-mvc-in.html

各空 2024-10-13 19:41:21

您可以将 elmah http 处理程序指向 web.config 中的另一个 url(例如“Secure/elmah.axd”)。您可以像 Web 配置中的任何其他 ASP.NET 页面一样保护该 URL。

<httpHandlers>
  ...
  <add verb="POST,GET,HEAD" path="/Secure/elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<location path="Secure" > <!-- secure the host.com/Secure path -->
  <system.web>
    <authorization>
      <deny users="?" />
      <!-- Or anything else... -->
    </authorization>
  </system.web>
</location>

我们在使用活动目录成员资格提供程序的 IIS7 上成功地使用了这种方法,并且效果非常好。我不确定它是否可以在 IIS6 上运行。

You can point the elmah http handler to another url (for example "Secure/elmah.axd") in web.config. You can secure the url as any other asp.net page in the web config.

<httpHandlers>
  ...
  <add verb="POST,GET,HEAD" path="/Secure/elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<location path="Secure" > <!-- secure the host.com/Secure path -->
  <system.web>
    <authorization>
      <deny users="?" />
      <!-- Or anything else... -->
    </authorization>
  </system.web>
</location>

We are successfully using this approach on IIS7 using active directory membership providers, and it works great. I am not sure if it works on IIS6 though.

想你的星星会说话 2024-10-13 19:41:21

如果您使用 ASP.NET 会员资格,则可以很容易地限制匿名用户对 elmah.axd HttpHandler 的访问,并且只允许“管理员”组中的登录用户。我是这样完成的:

<configuration>
  ...
  <location path="elmah.axd">
    <system.web>
      <authorization>
        <allow roles="Administrators"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
</configuration>

任何登录并且具有“管理员”角色成员的人现在都可以访问该页面。

If you're using ASP.NET Membership, it's pretty easy to restrict access to the elmah.axd HttpHandler for anonymous users and only allow logged in users in an "Administrators" group. I've done it like this:

<configuration>
  ...
  <location path="elmah.axd">
    <system.web>
      <authorization>
        <allow roles="Administrators"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
</configuration>

Anybody who's logged in AND member of the "Administrators" role can access the page now.

宣告ˉ结束 2024-10-13 19:41:21

如果您的目的是禁止远程用户访问它,只需将 的值更改为

If your intention is to disable remote users from accessing it, simply change the value of <security allowRemoteAccess="yes" /> to <security allowRemoteAccess="no" />

旧情别恋 2024-10-13 19:41:21

我使用了 IIS 7 配置中的 IP 限制。默认情况下,您不能简单地将其应用到 中,因为它已锁定在父配置级别。因此,我创建了一个空文件夹“logs”,并在 IIS 中对此文件夹应用了限制,然后修改了 elmah.axd 文件的位置路径。就是这样!您可以远程访问 yourdomain.com/logs/elmah.axd,但只能从特定 IP 进行访问。

I used IP Restrictions from the IIS 7 configuration. By default, you can't simply apply it in <location path="elmah.axd"> because it's locked on the parent configuration level. As such, I created an empty folder "logs" and applied restrictions in IIS to this folder, then modified the location path for the elmah.axd file. That's it! You have remote access to yourdomain.com/logs/elmah.axd, but only from specific IPs.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文