How can I restrict remote access to Elmah?

Question

With Elmah installed on our dev web server .. can we restrict who remotely accesses it? Even f we hardcode the username/passwords (hashed?) or is it only via IP?

Answer 1

There are two settings, one is in <elmah>:

<elmah>
    <security allowRemoteAccess="1"/>
</elmah>

The other is, if you allow remote access, you can use the <location> to control who accesses it:

  <location path="elmah.axd">
    <system.web>
      <authorization>
        <allow roles="Administrator"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>

You can put this in the main web.config just after you </runtime> tag

Answer 2

I know it's a bit late, but for future reference there's more to it than just opening access through allowRemoteAccess. I really got under the skin of securing ELMAH, while writing this blog post ELMAH security and allowRemoteAccess explained a couple of months ago.

I don't think that any of the answers on this question are wrong, but there are more options available, depending on the technologies used. If running ASP.NET, securing through authorization element is definitely the way to go. A lot of people are running MVC these days, though. Alexander Beletsky wrote an excellent package called Elmah.MVC. Using this package, makes all of the problems using ELMAH from MVC simply go away. And when using that package, securing ELMAH is easy as well, using a number of custom app settings like this:

<appSettings>
    <add key="elmah.mvc.requiresAuthentication" value="true" />
    <add key="elmah.mvc.allowedRoles" value="Admin" />
    <add key="elmah.mvc.allowedUsers" value="Thomas" />
</appSettings>

Answer 3

You can secure this in your web.config (if you indeed want it accessible to anyone on the production site) See: How to secure Elmah.axd?

Obviously change your <allow users=....> to the appropriate values