If you have an Umbraco site that's load balanced, you may have a dedicated admin sub-domain to force your users to use the primary server (e.g. admin.yourdomain.com). That being the case, you may also want to lock that domain down so not just anyone can access it.
You COULD do that with IP restrictions in IIS, but that doesn't allow for the client wanting to work on a train, or in a coffee shop, or for you needing to jump onto the site away from the office in case of emergency.
I came up with a simple solution that uses IIS Rewrite. You can use IIS Rewrite to check the value of cookies, so on the admin site, we allow access only to the /umbraco/ URL so that you can log in. Any other URL will result in you being redirected to the primary domain. The rule checks for the presence of the UMB_UCONTEXT cookie that's set by the back office, and if it's set, it allows you to access the rest of the admin site. Simples!
Here's an example of the rule:
<rule name="AdminLockout" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true"/>
<add input="{URL}" pattern="(favicon\.ico|umbraco|webresource|scriptresource)" negate="true"/>
<add input="{HTTP_COOKIE}" pattern="UMB_UCONTEXT=(\b[A-F0-9]{8}(?:-[A-F0-9]{4}){3}-[A-F0-9]{12}\b)" negate="true" />
<add input="{HTTP_HOST}" pattern="^admin\.mysite\.co\.uk" />
</conditions>
<action type="Redirect" url="http://www.mysite.co.uk/{R:1}" appendQueryString="true" />
</rule>
Nice, I like it and I'll be incorporating that at some point. Just a thought though, shouldn't it take "umbraco_client" into consideration too in the second condition?
This is exactly what I need to implement! Thank you very much for your post
Ninja skills Tim! FYI The pattern for the Umbraco cookie did not match for me so I used this more general pattern:
UMB_UCONTEXT=[^;]*
I posted the full syntax of my rule up at https://our.umbraco.org/forum/umbraco-7/using-umbraco-7/69859-password-protect-site-while-in-development#comment-246707