IP block for edit and admin in DXP
Why IP-blocking edit/admin?
A hacker can try to guess user names and passwords to gain access to your site. This risk can be minimized in a couple of ways.
- Requiring strong and long passwords
- Two factor authentication
- IP-blocking
To be honest IP-blocking is probably my least favorite one since it makes your solution dependent on the public IPs of the editors so my first recommendation is to focus on getting two factor authentication up and running instead if possible. But if increasing security fast is important then IP-blocking edit and admin mode is definitetly a good idea if it's reachable from the internet. The con is that updating IP-ranges won't be fun.
How to restrict edit/admin mode to certain IP ranges?
One thing to be aware of with DXP is that ordinary IP block rules in web.config won't work since the CDN will not send the calling IP on in the normal way. It will send it using the header "HTTP_True_Client_IP". If you try the default way of doing it in .NET, it will work for on-prem solutions but it won't work in DXP because of this.
For CMS 11 this can be solved in DXP by using these rewrite rules in web.config. For CMS 12+, writing a middleware is more appropriate, see link below.
Note: keep these kind of security related configuration in the production transform file "Web.production.config". If you don't it's easy for a developer to change them by mistake when they are troubleshooting their local environment. First get your IP ranges from the company internal IT including any VPN ranges. Test them yourself using https://www.whatsmyip.org/
Then set up an example rule for the rewrite:
Example rule:
<system.webServer>
<rewrite>
<rules>
<rule name="Block unauthorized traffic"
stopProcessing="true">
<match url="episerver\/" />
<conditions>
<add input="{HTTP_True_Client_IP}" pattern="^17\.87\.(14[4-9]|15[01])\.([1-9]?\d|[12]\d\d)$|^139\.152\.([1-9]?\d|[12]\d\d)\.([1-9]?\d|[12]\d\d)$" negate="true"/>
</conditions>
<action type="CustomResponse"
statusCode="403"
statusReason="Forbidden"
statusDescription="Site is not accessible" />
</rule>
</rules>
</rewrite>
</system.webServer>Make sure the url in the match corresponds to the url you chose for your episerver edit mode. Note that the input to the condition in the rule is actually the header value of "HTTP_True_Client_IP" rather than the normal calling IP "REMOTE_ADDR". This is needed to make it work in DXP environment as expained above.
For the rule and the regex magic pattern I used the tools at
https://www.analyticsmarket.com/freetools/ipregex/
to construct the regex for an ip range. Use the | between each expression as an OR check. Test the reg ex with a couple of IPs within and outside the restricted ranges using a tool
https://regex101.com/
For CMS 12 it's a better option to write a middleware to handle this. There is some starting documentation for that here:
https://docs.developers.optimizely.com/digital-experience-platform/docs/restricting-environment-access
That will have to be another blog post however.
Happy coding!
Great article Daniel. There is a new Add-On for CMS 12 which is currently in Beta that could be worth looking into: IpWhitelist (github.com)
Thanks for your sharing Daniel
And Mark, it is nice to have this Add-On in nuget feed soon :). I think it is good if we al have option to configure Allow IPs or Restrict IPs.
IP