1

I have an ASP.NET MVC Application, which has a Logs folder, where the log files are stored. Normally, I would access it as localhost/Logs/Log.common.txt and see the logs. However, now I want to restrict it.

Now I have Logs controller, which has an Authorize attribute set to the Admin only:

namespace MyApp.Controllers
{
  [Authorize(Roles = "Admin")]
  public class LogsController : BaseController
  {
    public ActionResult Index()
    {
    LogFile logFile = GetLogFileByName("log.Common.txt");
    return View(logFile);
    }
  }
}

So now, if I try to go to localhost/Logs, then I get an unauthorized access error, however, if I go directly to localhost/Logs/Log.common.txt I still can see the file. Is there any way to disable this?

Jamik
  • 65
  • 4
  • 2
    You could simply not store the log files within your application's file structure. That would prevent it from getting served out. Longer term - you sure you want to deal with text files? That's hard to work with. Have you considered using a logging library like [Serilog](https://serilog.net/) or [NLog](https://nlog-project.org/), and then combining that with an application logging framework like [Seq](https://datalust.co/seq) or [Retrace](https://stackify.com/retrace/)? – mason Mar 25 '20 at 15:53

1 Answers1

0

For IIS7+ add following web.config file into /Logs

<configuration>
  <system.webServer>
    <security>
      <authorization>
        <remove users="*" roles="" verbs="" />
        <add accessType="Allow" users="" roles="Admin" />
      </authorization>
    </security>
  </system.webServer>
</configuration>

Earlier versions have slightly different syntax.

Alternatively, move /logs into /app_data

user2316116
  • 6,726
  • 1
  • 21
  • 35