November Happy Hour will be moved to Thursday December 5th.

Daniel Ovaska
May 15, 2024
  791
(1 votes)

IP block for edit and admin in DXP

Why IP-blocking edit/admin?

A hacker can try to guess user names and passwords to gain access to your site. This risk can be minimized in a couple of ways. 

  1. Requiring strong and long passwords
  2. Two factor authentication
  3. IP-blocking

To be honest IP-blocking is probably my least favorite one since it makes your solution dependent on the public IPs of the editors so my first recommendation is to focus on getting two factor authentication up and running instead if possible. But if increasing security fast is important then IP-blocking edit and admin mode is definitetly a good idea if it's reachable from the internet. The con is that updating IP-ranges won't be fun.

How to restrict edit/admin mode to certain IP ranges?

One thing to be aware of with DXP is that ordinary IP block rules in web.config won't work since the CDN will not send the calling IP on in the normal way. It will send it using the header "HTTP_True_Client_IP". If you try the default way of doing it in .NET, it will work for on-prem solutions but it won't work in DXP because of this. 

For CMS 11 this can be solved in DXP by using these rewrite rules in web.config. For CMS 12+, writing a middleware is more appropriate, see link below.
Note: keep these kind of security related configuration in the production transform file "Web.production.config". If you don't it's easy for a developer to change them by mistake when they are troubleshooting their local environment. First get your IP ranges from the company internal IT including any VPN ranges. Test them yourself using https://www.whatsmyip.org/

Then set up an example rule for the rewrite:

Example rule:

<system.webServer>      
<rewrite>
<rules>
<rule name="Block unauthorized traffic"
     stopProcessing="true">
    <match url="episerver\/" />
    <conditions>
      <add input="{HTTP_True_Client_IP}" pattern="^17\.87\.(14[4-9]|15[01])\.([1-9]?\d|[12]\d\d)$|^139\.152\.([1-9]?\d|[12]\d\d)\.([1-9]?\d|[12]\d\d)$" negate="true"/>
    </conditions>
    <action type="CustomResponse"
            statusCode="403"
            statusReason="Forbidden"
            statusDescription="Site is not accessible" />
  </rule>
</rules>
</rewrite>
</system.webServer>

Make sure the url in the match corresponds to the url you chose for your episerver edit mode. Note that the input to the condition in the rule is actually the header value of "HTTP_True_Client_IP" rather than the normal calling IP "REMOTE_ADDR". This is needed to make it work in DXP environment as expained above.  

For the rule and the regex magic pattern I used the tools at 
https://www.analyticsmarket.com/freetools/ipregex/

to construct the regex for an ip range. Use the | between each expression as an OR check. Test the reg ex with a couple of IPs within and outside the restricted ranges using a tool
https://regex101.com/

For CMS 12 it's a better option to write a middleware to handle this. There is some starting documentation for that here:
https://docs.developers.optimizely.com/digital-experience-platform/docs/restricting-environment-access

That will have to be another blog post however.

Happy coding!

May 15, 2024

Comments

Mark Stott
Mark Stott May 15, 2024 02:59 PM

Great article Daniel.  There is a new Add-On for CMS 12 which is currently in Beta that could be worth looking into: IpWhitelist (github.com)

Binh Nguyen Thi
Binh Nguyen Thi May 17, 2024 07:42 AM

Thanks for your sharing Daniel

And Mark, it is nice to have this Add-On in nuget feed soon :). I think it is good if we al have option to configure Allow IPs or Restrict IPs.

IP

Please login to comment.
Latest blogs
Set Default Culture in Optimizely CMS 12

Take control over culture-specific operations like date and time formatting.

Tomas Hensrud Gulla | Nov 15, 2024 | Syndicated blog

I'm running Optimizely CMS on .NET 9!

It works 🎉

Tomas Hensrud Gulla | Nov 12, 2024 | Syndicated blog

Recraft's image generation with AI-Assistant for Optimizely

Recraft V3 model is outperforming all other models in the image generation space and we are happy to share: Recraft's new model is now available fo...

Luc Gosso (MVP) | Nov 8, 2024 | Syndicated blog

ExcludeDeleted(): Prevent Trashed Content from Appearing in Search Results

Introduction In Optimizely CMS, content that is moved to the trash can still appear in search results if it’s not explicitly excluded using the...

Ashish Rasal | Nov 7, 2024

CMS + CMP + Graph integration

We have just released a new package https://nuget.optimizely.com/package/?id=EPiServer.Cms.WelcomeIntegration.Graph which changes the way CMS fetch...

Bartosz Sekula | Nov 5, 2024

Block type selection doesn't work

Imagine you're trying to create a new block in a specific content area. You click the "Create" link, expecting to see a CMS modal with a list of...

Damian Smutek | Nov 4, 2024 | Syndicated blog