Area: Optimizely CMS
Applies to versions: 12 and higher
Other versions:

Decoupled setup

Recommended reading 

This topic describes how to secure the user interfaces to prevent unauthorized users to access, for a solution with physical separation of servers (decoupled setup).

General considerations

Consider the following for solutions with physically separated servers:

  • Have separate servers for the user interfaces and the public site, and have the UI server on an internal protected network.
  • Remove access to editing and administration interfaces.
  • Remove access to any custom Edit/Admin plug-ins from the public facing server (for example by removing the files).
  • If you cannot have separate servers, you should have separate bindings in IIS for the public site and the UI, and use SSL on the UI-binding.

Removing access to editing and administration interfaces

The following description shows how to make the edit/admin user interfaces unavailable on a publicly facing server.

One alternative to block access to edit and admin on the public application is to define the policies CmsPolicyNames.CmsEdit and CmsPolicyNames.CmsAdmin (those policies are checked when edit or admin resources are accessed) so that does not allow any access, like:

var publicFront = _configuration.GetValue<bool?>("PublicFront");
if (publicFront.GetValueOrDefault(true))
    services.Configure<AuthorizationOptions>(o => o.AddPolicy(CmsPolicyNames.CmsAdmin, b => b.RequireAssertion(c => false)));
    services.Configure<AuthorizationOptions>(o => o.AddPolicy(CmsPolicyNames.CmsEdit, b => b.RequireAssertion(c => false)));

Securing the editing and administration interfaces

Optimizely CMS allows relocation of the edit and admin folders to custom folder names and configurable HTTP ports, to make it harder for intruders to try to access sensitive resources.

Renaming the UI Path

  1. Change the UIOptions.EditUrl to a custom path:
    services.Configure<UIOptions>(o => o.EditUrl = new Uri("~/newuipath/CMS/", UriKind.Relative));

    If you want to secure the UI location on another port other than that the site is running on, add an absolute URL including a port other than 80 (or a port the application is running on) as shown.

    services.Configure<UIOptions>(o => o.EditUrl = new Uri("https://securehost:8888/newuipath/CMS/", UriKind.Absolute));

    Setting uiUrl to a custom host and port is not recommended for multi-site setups since each site have custom domains. Consider having a separate editing server instead and remove access to editing and administration interfaces on publicly facing server.

  2. Change the RootPath for protected modules from ~/EPiServer/ to ~/newuipath/ like:
    services.Configure<ProtectedModuleOptions>(o => o.RootPath = "~/newuipath/");

Add support for SSL

Use SSL (Secure Sockets Layer) to secure the website and/or UI folder; see the information in the following links:

    Do you find this information helpful? Please log in to provide feedback.

    Last updated: Sep 28, 2021

    Recommended reading