asp.net mvc - How to secure Elmah.axd?

Question

We're using Elmah as our error logging system for an app that will be going into production soon. It's extremely useful, but if it goes into production like this anyone in the world access the error log because all they have to do is visit ourdomain.com/elmah.axd.

This is obviously not ideal. I originally intended to restrict access to that page only to IP addresses within our company, but now our SysAdmins are saying that's not possible. So I'm asking here how can I prevent access to this resource?

We running an ASP.NET MVC app on IIS 6.

Answer 1

The typical scenario for securing elmah.axd is allowing only some authenticated user to be able to access it. But if your site doesn't use any authentication at all this might not be applicable.

Here's what I would recommend you:

1. Disable completely the elmah.axd handler on your main site
2. Configure elmah to write the logs to some shared data source (like a shared file, SQLite database or even SQL Server)
3. Configure a second site in IIS, probably on another network or server, which has only elmah installed and which points to this same shared data source. Now you would always use the second site to read the logs. Obviously the second site would only be accessible to you.

If you decide to use SQL Server you could even read the logs of multiple applications running on multiple web servers in a farm from within a single internal application accessible only to you.