How to secure Elmah.axd?

Question

We're using Elmah as our error logging system for an app that will be going into production soon. It's extremely useful, but if it goes into production like this anyone in the world access the error log because all they have to do is visit ourdomain.com/elmah.axd.

This is obviously not ideal. I originally intended to restrict access to that page only to IP addresses within our company, but now our SysAdmins are saying that's not possible. So I'm asking here how can I prevent access to this resource?

We running an ASP.NET MVC app on IIS 6.

score 43 · Accepted Answer · answered Dec 11 '10 at 11:36

The typical scenario for securing elmah.axd is allowing only some authenticated user to be able to access it. But if your site doesn't use any authentication at all this might not be applicable.

Here's what I would recommend you:

Disable completely the elmah.axd handler on your main site
Configure elmah to write the logs to some shared data source (like a shared file, SQLite database or even SQL Server)
Configure a second site in IIS, probably on another network or server, which has only elmah installed and which points to this same shared data source. Now you would always use the second site to read the logs. Obviously the second site would only be accessible to you.

If you decide to use SQL Server you could even read the logs of multiple applications running on multiple web servers in a farm from within a single internal application accessible only to you.

this is actually really good suggestion.. but it takes time to setup. It would be great to know how to restric without deployment of second site etc. — Alexander Beletsky, Feb 28 '11 at 18:50
I have a separate admin application, both use the same data source but when i go to elmah.axd for each site it only shows the errors that occured on that site - any ideas? — raklos, Feb 19 '13 at 18:38
How can we configure elmah to read logs from multiple applications? — camelCaseWarrior, May 27 '15 at 19:25

score 21 · Answer 2 · answered Mar 05 '11 at 17:45

21

I found this is most acceptable for MVC applications:

http://www.beletsky.net/2011/03/integrating-elmah-to-aspnet-mvc-in.html

answered Mar 05 '11 at 17:45

Alexander Beletsky

19,453
9
63
86

This worked perfectly in our MVC project as it leverages whatever custom authentication you are using with MVC. In our case, we add the roles the user belongs to to the FormsAuthenticationTicket and we deserialize this information through a Global ActionFilter. Wrapping Elmah this way, you can grant authorization to Elmah like any other controller action. You don't need to mess with Web.config. Nice! – Germán Mar 24 '11 at 12:57
1

@alexanderb: It looks there is updated version located here: http://www.beletsky.net/2011/08/latest-version-of-elmah-mvc-controller.html. Thanks for great solution – Denys Jan 21 '12 at 09:27

m0sa · Answer 3 · 2010-12-22T12:01:28.033

16

You can point the elmah http handler to another url (for example "Secure/elmah.axd") in web.config. You can secure the url as any other asp.net page in the web config.

<httpHandlers>
  ...
  <add verb="POST,GET,HEAD" path="/Secure/elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<location path="Secure" > <!-- secure the host.com/Secure path -->
  <system.web>
    <authorization>
      <deny users="?" />
      <!-- Or anything else... -->
    </authorization>
  </system.web>
</location>

We are successfully using this approach on IIS7 using active directory membership providers, and it works great. I am not sure if it works on IIS6 though.

edited Dec 22 '10 at 12:01

answered Dec 11 '10 at 15:22

m0sa

10,712
4
44
91

1

You need to change the path="Secure/elmah.axd" to path="/Secure/elmah.axd" otherwise one can get around security permissions using /something/Secure/elmah.axd – UpTheCreek Dec 22 '10 at 11:53
If I add your given code then anybody who is registered with our site can easily login and see the log file. What is the right way to only allow 1 user to access this ? I added `` but it doesn't worked ! Help me kindly. – Wasim Jun 29 '11 at 12:01
1

Use this – m0sa Jul 02 '11 at 14:15

Jakob Gade · Answer 4 · 2011-08-25T06:02:58.913

9

If you're using ASP.NET Membership, it's pretty easy to restrict access to the elmah.axd HttpHandler for anonymous users and only allow logged in users in an "Administrators" group. I've done it like this:

<configuration>
  ...
  <location path="elmah.axd">
    <system.web>
      <authorization>
        <allow roles="Administrators"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
</configuration>

Anybody who's logged in AND member of the "Administrators" role can access the page now.

edited Aug 25 '11 at 06:02

answered Aug 25 '11 at 03:45

Jakob Gade

12,319
15
70
118

That doesn't seem to work. If you add a fictitious folder (eg navigate to /foo/elmah.axd) it still displays the page. – NickG Jul 18 '14 at 11:25

nonexistential · Answer 5 · 2015-04-13T16:06:21.727

3

If your intention is to disable remote users from accessing it, simply change the value of <security allowRemoteAccess="yes" /> to <security allowRemoteAccess="no" />

edited Apr 13 '15 at 16:06

answered Jul 22 '14 at 10:02

nonexistential

67
7

score 3 · Answer 6 · answered Dec 11 '10 at 10:45

3

Here are some useful links:

Securely Implement ELMAH For Plug And Play Error Logging
Securing Error Log Pages

answered Dec 11 '10 at 10:45

Giorgi

30,270
13
89
125

score 2 · Answer 7 · edited Dec 03 '14 at 02:36

I used IP Restrictions from the IIS 7 configuration. By default, you can't simply apply it in <location path="elmah.axd"> because it's locked on the parent configuration level. As such, I created an empty folder "logs" and applied restrictions in IIS to this folder, then modified the location path for the elmah.axd file. That's it! You have remote access to yourdomain.com/logs/elmah.axd, but only from specific IPs.

How to secure Elmah.axd?

7 Answers7

Linked