Try our conversational search powered by Generative AI!

Daniel Ovaska
May 15, 2024
  482
(1 votes)

IP block for edit and admin in DXP

Why IP-blocking edit/admin?

A hacker can try to guess user names and passwords to gain access to your site. This risk can be minimized in a couple of ways. 

  1. Requiring strong and long passwords
  2. Two factor authentication
  3. IP-blocking

To be honest IP-blocking is probably my least favorite one since it makes your solution dependent on the public IPs of the editors so my first recommendation is to focus on getting two factor authentication up and running instead if possible. But if increasing security fast is important then IP-blocking edit and admin mode is definitetly a good idea if it's reachable from the internet. The con is that updating IP-ranges won't be fun.

How to restrict edit/admin mode to certain IP ranges?

One thing to be aware of with DXP is that ordinary IP block rules in web.config won't work since the CDN will not send the calling IP on in the normal way. It will send it using the header "HTTP_True_Client_IP". If you try the default way of doing it in .NET, it will work for on-prem solutions but it won't work in DXP because of this. 

For CMS 11 this can be solved in DXP by using these rewrite rules in web.config. For CMS 12+, writing a middleware is more appropriate, see link below.
Note: keep these kind of security related configuration in the production transform file "Web.production.config". If you don't it's easy for a developer to change them by mistake when they are troubleshooting their local environment. First get your IP ranges from the company internal IT including any VPN ranges. Test them yourself using https://www.whatsmyip.org/

Then set up an example rule for the rewrite:

Example rule:

<system.webServer>      
<rewrite>
<rules>
<rule name="Block unauthorized traffic"
     stopProcessing="true">
    <match url="episerver\/" />
    <conditions>
      <add input="{HTTP_True_Client_IP}" pattern="^17\.87\.(14[4-9]|15[01])\.([1-9]?\d|[12]\d\d)$|^139\.152\.([1-9]?\d|[12]\d\d)\.([1-9]?\d|[12]\d\d)$" negate="true"/>
    </conditions>
    <action type="CustomResponse"
            statusCode="403"
            statusReason="Forbidden"
            statusDescription="Site is not accessible" />
  </rule>
</rules>
</rewrite>
</system.webServer>

Make sure the url in the match corresponds to the url you chose for your episerver edit mode. Note that the input to the condition in the rule is actually the header value of "HTTP_True_Client_IP" rather than the normal calling IP "REMOTE_ADDR". This is needed to make it work in DXP environment as expained above.  

For the rule and the regex magic pattern I used the tools at 
https://www.analyticsmarket.com/freetools/ipregex/

to construct the regex for an ip range. Use the | between each expression as an OR check. Test the reg ex with a couple of IPs within and outside the restricted ranges using a tool
https://regex101.com/

For CMS 12 it's a better option to write a middleware to handle this. There is some starting documentation for that here:
https://docs.developers.optimizely.com/digital-experience-platform/docs/restricting-environment-access

That will have to be another blog post however.

Happy coding!

May 15, 2024

Comments

Mark Stott
Mark Stott May 15, 2024 02:59 PM

Great article Daniel.  There is a new Add-On for CMS 12 which is currently in Beta that could be worth looking into: IpWhitelist (github.com)

Binh Nguyen Thi
Binh Nguyen Thi May 17, 2024 07:42 AM

Thanks for your sharing Daniel

And Mark, it is nice to have this Add-On in nuget feed soon :). I think it is good if we al have option to configure Allow IPs or Restrict IPs.

IP

Please login to comment.
Latest blogs
From Procrastination to Proficiency: Navigating Your Journey to Web Experimentation Certification

Hey there, Optimizely enthusiasts!   Join me in celebrating a milestone – I'm officially a certified web experimentation expert! It's an exhilarati...

Silvio Pacitto | May 17, 2024

GPT-4o Now Available for Optimizely via the AI-Assistant plugin!

I am excited to announce that GPT-4o is now available for Optimizely users through the Epicweb AI-Assistant integration. This means you can leverag...

Luc Gosso (MVP) | May 17, 2024 | Syndicated blog

The downside of being too fast

Today when I was tracking down some changes, I came across this commit comment Who wrote this? Me, almost 5 years ago. I did have a chuckle in my...

Quan Mai | May 17, 2024 | Syndicated blog

Optimizely Forms: Safeguarding Your Data

With the rise of cyber threats and privacy concerns, safeguarding sensitive information has become a top priority for businesses across all...

K Khan | May 16, 2024