Loading...
Area: Episerver Customer-Centric DXP
Applies to versions: Not applicable

Restricting environment access

Recommendations [hide]

This topic describes how to restrict access to the different environments available when working with solutions in Episerver Customer-Centric Digital Experience Platform (DXP). 

Configuring restrictions

Customers often want to add security to their solution by restricting access to environments or views; for example, locking down environments such as Integration and Preproduction, or specific interfaces such as the edit or admin view. Access is limited based on a particular or range of IP addresses.

Also, it is common to have a different restrictions in the different environments, such as Production having different settings than Integration

You can create restrictions by blocking a hostname, and by whitelisting specific IPs for your Web App environment in the web.config. You can do this for multiple environments in the same web.config by assigning specific rules for each domain, or you can use configuration transforms to achieve different configurations in different environments.

Only the IPs of the CDN nodes are visible to this feature. Therefore, you cannot use IP restrictions to restrict access to environment or views because traffic to the Web Apps flows through the CDN. You can restrict access to environment or views by using rewrite rules instead, which provide more flexibility.

Settings

  • HTTP_HOST. The hostname of your Web App as entered by the user browsing it, such as mywebapp.dxcloud.episerver.net or www. mydxcsite.com. The HTTP_HOST supports matching by pattern.

    Note: An added pattern must match all enabled hostnames for the site, not just the Web App name, if you want to make sure the rule covers all the URLs.

  • HTTP_True_Client_IP. The originating IP address of a client connecting to your site through the CDN. Supports matching by pattern.

You can use any server variable or HTTP header when you create these rules. For information about matching the different parts of a URL with these rules, see Accessing URL Parts from a Rewrite Rule in Microsoft's URL Rewrite Module Configuration Reference.

Example 1

The following example restricts access to the two hosts listed (custom12a3binte.dxcloud.episerver.net and custom12a3bprep.dxcloud.episerver.net) to the specified IP (88.250.74.6) if added to the <system.webServer> section of web.config:

<rewrite>
  <rules>
    <rule name="Block unauthorized traffic" stopProcessing="true">
      <match url=".*" />
      <conditions>
        <add input="{HTTP_HOST}" pattern="custom12a3binte\.dxcloud\.episerver\.net|custom12a3bprep\.dxcloud\.episerver\.net" />
        <add input="{HTTP_True_Client_IP}" pattern="^88\.250\.74\.6$" negate="true"/>
      </conditions>
      <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Site is not accessible" />
    </rule>
  </rules>
</rewrite>

Note: If you want to make sure that no one can access any of these sites, you need to make sure they have no other host names added to them.

A DXP Service site has one default hostname that is accessible from the Internet; for example:

custom12a3bprep.dxcloud.episerver.net
custom12a3bprep-slot.dxcloud.episerver.net (used during deployments)

You also need to add any other domains, like www.mydxcsite.com, if the rule should cover that also. Because patterns are supported, prep\.|-slot\. would be a valid pattern for the default hostnames custom12a3bprep.dxcloud.episerver.net and custom12a3bprep-slot.dxcloud.episerver.net.

Note: If the slot-address is blocked, it will prolong the deployment time and prevent manual validation of the slot before go live(s).

Example 2

This following example restricts access to all hostnames matching the patterns in the first rule (*inte.* and *prep.*) to the specified IP (88.250.74.6) and the URL /episerver for the hostnames www.mydxcsite.com and any hostname that matches the *prod.* pattern to the specified IP (88.250.74.6) if added to the <system.webServer> section of web.config:

<rewrite>
  <rules>
    <rule name="Block unauthorized traffic in integration and preproduction" stopProcessing="true">
      <match url=".*" />
      <conditions>
        <add input="{HTTP_HOST}" pattern="inte\.|prep\." />
        <add input="{HTTP_True_Client_IP}" pattern="^88\.250\.74\.6$" negate="true"/>
      </conditions>
      <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Site is not accessible" />
    </rule>
    <rule name="Block logins and dashboard in production" stopProcessing="true">
      <match url="login.aspx|/episerver" />
      <conditions>
        <add input="{HTTP_HOST}" pattern="www\.mydxcsite\.com|prod\." />
        <add input="{HTTP_True_Client_IP}" pattern="^88\.250\.74\.6$" negate="true"/>
      </conditions>
      <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Site is not accessible" />
    </rule>
  </rules>
</rewrite>

Related topics

Do you find this information helpful? Please log in to provide feedback.

Last updated: Apr 02, 2020

Recommendations [hide]