15

With Elmah installed on our dev web server .. can we restrict who remotely accesses it? Even f we hardcode the username/passwords (hashed?) or is it only via IP?

Pure.Krome
  • 84,693
  • 113
  • 396
  • 647

3 Answers3

28

There are two settings, one is in <elmah>:

<elmah>
    <security allowRemoteAccess="1"/>
</elmah>

The other is, if you allow remote access, you can use the <location> to control who accesses it:

  <location path="elmah.axd">
    <system.web>
      <authorization>
        <allow roles="Administrator"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>

You can put this in the main web.config just after you </runtime> tag

rtpHarry
  • 13,019
  • 4
  • 43
  • 64
  • 1
    I hope this info can save some people a few minutes: the tag should be put [right under ](http://msdn.microsoft.com/en-us/library/b6x6shw7.aspx). For me, I put it right after – Endy Tjahjono Aug 18 '11 at 04:35
  • I always put mine right down at the bottom, just before the `` tag as I mentioned above. This gives me a consistent place to look for these access control tags (I would normally have one for the admin area of the site as well and any other protected systems). Anyway, thanks for your feedback, hopefully your comments will help people internalize what is being said here before running into errors. – rtpHarry Aug 23 '11 at 15:04
5

I know it's a bit late, but for future reference there's more to it than just opening access through allowRemoteAccess. I really got under the skin of securing ELMAH, while writing this blog post ELMAH security and allowRemoteAccess explained a couple of months ago.

I don't think that any of the answers on this question are wrong, but there are more options available, depending on the technologies used. If running ASP.NET, securing through authorization element is definitely the way to go. A lot of people are running MVC these days, though. Alexander Beletsky wrote an excellent package called Elmah.MVC. Using this package, makes all of the problems using ELMAH from MVC simply go away. And when using that package, securing ELMAH is easy as well, using a number of custom app settings like this:

<appSettings>
    <add key="elmah.mvc.requiresAuthentication" value="true" />
    <add key="elmah.mvc.allowedRoles" value="Admin" />
    <add key="elmah.mvc.allowedUsers" value="Thomas" />
</appSettings>
ThomasArdal
  • 4,999
  • 4
  • 33
  • 73
2

You can secure this in your web.config (if you indeed want it accessible to anyone on the production site) See: How to secure Elmah.axd?

Obviously change your <allow users=....> to the appropriate values

Community
  • 1
  • 1
Adam Tuliper
  • 29,982
  • 4
  • 53
  • 71