Daniel Ovaska
May 15, 2024
  994
(1 votes)

IP block for edit and admin in DXP

Why IP-blocking edit/admin?

A hacker can try to guess user names and passwords to gain access to your site. This risk can be minimized in a couple of ways. 

  1. Requiring strong and long passwords
  2. Two factor authentication
  3. IP-blocking

To be honest IP-blocking is probably my least favorite one since it makes your solution dependent on the public IPs of the editors so my first recommendation is to focus on getting two factor authentication up and running instead if possible. But if increasing security fast is important then IP-blocking edit and admin mode is definitetly a good idea if it's reachable from the internet. The con is that updating IP-ranges won't be fun.

How to restrict edit/admin mode to certain IP ranges?

One thing to be aware of with DXP is that ordinary IP block rules in web.config won't work since the CDN will not send the calling IP on in the normal way. It will send it using the header "HTTP_True_Client_IP". If you try the default way of doing it in .NET, it will work for on-prem solutions but it won't work in DXP because of this. 

For CMS 11 this can be solved in DXP by using these rewrite rules in web.config. For CMS 12+, writing a middleware is more appropriate, see link below.
Note: keep these kind of security related configuration in the production transform file "Web.production.config". If you don't it's easy for a developer to change them by mistake when they are troubleshooting their local environment. First get your IP ranges from the company internal IT including any VPN ranges. Test them yourself using https://www.whatsmyip.org/

Then set up an example rule for the rewrite:

Example rule:

<system.webServer>      
<rewrite>
<rules>
<rule name="Block unauthorized traffic"
     stopProcessing="true">
    <match url="episerver\/" />
    <conditions>
      <add input="{HTTP_True_Client_IP}" pattern="^17\.87\.(14[4-9]|15[01])\.([1-9]?\d|[12]\d\d)$|^139\.152\.([1-9]?\d|[12]\d\d)\.([1-9]?\d|[12]\d\d)$" negate="true"/>
    </conditions>
    <action type="CustomResponse"
            statusCode="403"
            statusReason="Forbidden"
            statusDescription="Site is not accessible" />
  </rule>
</rules>
</rewrite>
</system.webServer>

Make sure the url in the match corresponds to the url you chose for your episerver edit mode. Note that the input to the condition in the rule is actually the header value of "HTTP_True_Client_IP" rather than the normal calling IP "REMOTE_ADDR". This is needed to make it work in DXP environment as expained above.  

For the rule and the regex magic pattern I used the tools at 
https://www.analyticsmarket.com/freetools/ipregex/

to construct the regex for an ip range. Use the | between each expression as an OR check. Test the reg ex with a couple of IPs within and outside the restricted ranges using a tool
https://regex101.com/

For CMS 12 it's a better option to write a middleware to handle this. There is some starting documentation for that here:
https://docs.developers.optimizely.com/digital-experience-platform/docs/restricting-environment-access

That will have to be another blog post however.

Happy coding!

May 15, 2024

Comments

Mark Stott
Mark Stott May 15, 2024 02:59 PM

Great article Daniel.  There is a new Add-On for CMS 12 which is currently in Beta that could be worth looking into: IpWhitelist (github.com)

Binh Nguyen Thi
Binh Nguyen Thi May 17, 2024 07:42 AM

Thanks for your sharing Daniel

And Mark, it is nice to have this Add-On in nuget feed soon :). I think it is good if we al have option to configure Allow IPs or Restrict IPs.

IP

Please login to comment.
Latest blogs
The missing globe can finally be installed as a nuget package!

Do you feel like you're dying a little bit every time you need to click "Options" and then "View on Website"? Do you also miss the old "Globe" in...

Tomas Hensrud Gulla | Feb 14, 2025 |

Cloudflare Edge Logs

Optimizely is introducing the ability to access Cloudflare's edge logs, which gives access to some information previously unavailable except throug...

Bob Davidson | Feb 14, 2025 |

Comerce Connect calatog caching settings

A critical aspect of Commerce Connect is the caching mechanism for the product catalog, which enhances performance by reducing database load and...

K Khan | Feb 14, 2025

CMP DAM asset sync to Optimizely Graph self service

The CMP DAM integration in CMS introduced support for querying Optimizly Graph (EPiServer.Cms.WelcomeIntegration.Graph 2.0.0) for metadata such as...

Robert Svallin | Feb 13, 2025