Locking Down Integration/Pre-Production

Vote:
 

Hi,

In general, what is the best practice for locking down integration and pre-production so that only internal organization users can access both CMS and frontend?

Thanks,
Brian

#312577
Nov 15, 2023 17:54
Vote:
 

Hi Brian,

Some of the things you can do:

  1. Implement IP Whitelisting.
  2. I also would recommend to make sure you update the robots.txt file to not crawl these sites just to be safe. 

Hope this helps.

#312579
Edited, Nov 15, 2023 18:47
Vote:
 

As a quick workaround, you can remove "Everyone" - "Read" permissions from the pages. Usually it's enough to remove it from the root page, if everything else inherits permissions from it.Doing this will require authentication to access any page.

Any static resources though still can be available to anonymous via direct links, or custom API requests can be configured to access without authorization etc etc, so IP whitelisting would be better solution in a long run.

You can implement custom solution to require authentication if site is being accessed not via list of approved public domains - like require authentication if anyone requests a not "www." domain. That can be done via app.MapWhen(...) in startup.cs with filtering based on request hostname.

#312635
Nov 16, 2023 9:26
Vote:
 

I assume you meant DXP sites - in that case you can request service desk to only allow specific IP ranges to access the site 

#312642
Nov 16, 2023 10:52
Vote:
 

We have a custom middleware that will prompt for a pincode in integration and prep (and prod before going live).

Once the correct pincode is entered we use cookies to allow subsequent user requests.

Certain urls (integration endpoints) and user agents (e.g. DXC automation, screaming frog) are allowlisted so that they don't need to authenticate.

Working with IP restrictions can be a bit cumbersome because you probably want to be able to access the site from mobile etc.

For backoffice we use IP restrictions tho (also in middleware).

#312947
Nov 22, 2023 13:02
Vote:
 

Thank you for the input!  For IP whitelisting, is there a built-in Optimizely CMS12 solution for this, or do I need to "roll my own" using middleware or a third-party NuGet package?

Thanks again!

#313167
Nov 27, 2023 13:52
Vote:
 

Not a builtin solution that I'm aware of. but implementation is pretty straightforward Client IP safelist for ASP.NET Core | Microsoft Learn

#313168
Nov 27, 2023 14:02
Vote:
 

There is an article from Opti on this as well: Restricting environment access

#313169
Nov 27, 2023 14:13
Vote:
 

We use a custom middleware for within our DXP solutions that requires a user to either be a logged in CMS user or to have an approved IP address on a CMS editable IP Allowlist.  It's essentially an extension of the documentation linked by Siddharth: https://docs.developers.optimizely.com/digital-experience-platform/docs/restricting-environment-access

#313177
Nov 27, 2023 15:17
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.