The typical scenario for securing elmah.axd is allowing only some authenticated user to be able to access it. But if your site doesn't use any authentication at all this might not be applicable.

保护 elmah.axd 的典型场景是只允许某些经过身份验证的用户能够访问它。但是，如果您的站点根本不使用任何身份验证，则这可能不适用。

Here's what I would recommend you:

以下是我向您推荐的：

1. Disable completely the elmah.axdhandler on your main site
2. Configure elmahto write the logs to some shared data source (like a shared file, SQLite database or even SQL Server)
3. Configure a second site in IIS, probably on another network or server, which has only elmah installed and which points to this same shared data source. Now you would always use the second site to read the logs. Obviously the second site would only be accessible to you.

1. 完全禁用elmah.axd主站点上的处理程序
2. 配置elmah将日志写入某些共享数据源（如共享文件、SQLite 数据库甚至 SQL Server）
3. 在 IIS 中配置第二个站点，可能在另一个网络或服务器上，它只安装了 elmah 并且指向同一个共享数据源。现在您将始终使用第二个站点来读取日志。显然，只有您可以访问第二个站点。

If you decide to use SQL Server you could even read the logs of multiple applications running on multiple web servers in a farm from within a single internal application accessible only to you.

如果您决定使用 SQL Server，您甚至可以从只有您可以访问的单个内部应用程序中读取在场中多个 Web 服务器上运行的多个应用程序的日志。

I found this is most acceptable for MVC applications:

我发现这对于 MVC 应用程序来说是最可接受的：

http://www.beletsky.net/2011/03/integrating-elmah-to-aspnet-mvc-in.html

http://www.beletsky.net/2011/03/integrating-elmah-to-aspnet-mvc-in.html

You can point the elmah http handler to another url (for example "Secure/elmah.axd") in web.config. You can secure the url as any other asp.net page in the web config.

您可以将 elmah http 处理程序指向 web.config 中的另一个 url（例如“Secure/elmah.axd”）。您可以像 web 配置中的任何其他 asp.net 页面一样保护 url。

<httpHandlers>
  ...
  <add verb="POST,GET,HEAD" path="/Secure/elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<location path="Secure" > <!-- secure the host.com/Secure path -->
  <system.web>
    <authorization>
      <deny users="?" />
      <!-- Or anything else... -->
    </authorization>
  </system.web>
</location>

We are successfully using this approach on IIS7 using active directory membership providers, and it works great. I am not sure if it works on IIS6 though.

我们在 IIS7 上使用 Active Directory 成员资格提供程序成功地使用了这种方法，并且效果很好。我不确定它是否适用于 IIS6。

If you're using ASP.NET Membership, it's pretty easy to restrict access to the elmah.axd HttpHandler for anonymous users and only allow logged in users in an "Administrators" group. I've done it like this:

如果您使用的是 ASP.NET Membership，则可以很容易地限制匿名用户对 elmah.axd HttpHandler 的访问，并且只允许“管理员”组中的登录用户。我是这样做的：

<configuration>
  ...
  <location path="elmah.axd">
    <system.web>
      <authorization>
        <allow roles="Administrators"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
</configuration>

Anybody who's logged in AND member of the "Administrators" role can access the page now.

任何已登录且具有“管理员”角色成员的人现在都可以访问该页面。

If your intention is to disable remote users from accessing it, simply change the value of <security allowRemoteAccess="yes" />to <security allowRemoteAccess="no" />

如果您的目的是禁止远程用户访问它，只需将值更改<security allowRemoteAccess="yes" />为<security allowRemoteAccess="no" />

Here are some useful links:

以下是一些有用的链接：

Securely Implement ELMAH For Plug And Play Error Logging
Securing Error Log Pages

安全地实施 ELMAH 即插即用错误日志
保护错误日志页面

I used IP Restrictions from the IIS 7 configuration. By default, you can't simply apply it in <location path="elmah.axd">because it's locked on the parent configuration level. As such, I created an empty folder "logs"and applied restrictions in IIS to this folder, then modified the location path for the elmah.axdfile. That's it! You have remote access to yourdomain.com/logs/elmah.axd, but only from specific IPs.

我使用了 IIS 7 配置中的 IP 限制。默认情况下，您不能简单地应用它，<location path="elmah.axd">因为它锁定在父配置级别。因此，我创建了一个空文件夹"logs"并将 IIS 中的限制应用于该文件夹，然后修改了该elmah.axd文件的位置路径。就是这样！您可以远程访问yourdomain.com/logs/elmah.axd，但只能从特定 IP 访问。