This free module is designed for blocking/restricting access on a per site basis for Optimizely CMS 12+
solution hosted on Optimizely DXP with the following features
- Whitelist single IP address per site basis
- Whitelist a range of IP addresses via CIDR per site basis
- Whitelist known paths (e.g. /episerver/health)
Install the add-on nuget package into your Optimizely Cms Web project, then make two lines of code change in your Startup
file (see details in Configuration
section). Finally, rebuild and re-run your site should be working as normal without noticing any change.
Once the package has been installed and configured, you have a few options to turn on the IP restriction.
Caution:
By default, all sites are accessible after installing the module, you will need to explicitly turn off access for each site via the configuration settings or Admin UI.
Tips
Appsetting.json config option will always take precedence than other options.
Name | Default value | Description |
---|---|---|
AllowByPassLocalRequest | true | Get or set the flag which decides whether local request should be allowed to access. true by default. |
WhitelistSiteDefinitions | Get or set a list of WhitelistSiteDefinition that are used to decide whether a specific site should allow to access. |
|
AdminSafeIpList | Get or set a list of Ips (e.g. Company's VPN IP, static IP) that allows to bypass the IpWhitelist module check. | |
IgnorePaths | /episerver/health | Get or set a list of paths that allows to ingore the check by IpWhitelist module. ["/episerver/health"] by default. |
Example of configuration
"WhitelistSiteOptions": {
"AllowByPassLocalRequest": false,
"WhitelistSiteDefinitions": [
{
"SiteId": "e68c3e92-c76c-44c0-9196-338d41611e1c",
"AllowAccess": true
}
],
"AdminSafeIpList": ["10.1.1.1"],
"IgnorePaths": ["/episerver/health"]
}
You can control a specific site access from General menu (see screenshot below)
You can configure and overrides the value specified in appsettings programmatically by supplying WhitelistSiteOptions
services.AddIpWhitelist(options =>
{
options.WhitelistSiteDefinitions = new List<WhitelistSiteDefinition>
{
new() { SiteId = "e68c3e92-c76c-44c0-9196-338d41611e1c", AllowAccess = false }
};
options.AllowByPassLocalRequest = true;
});
There are 5 default evaluators that implement IRequestEvaluator
interface. All requests will be processed sequentially through each evaluator based on their priority level, starting from the highest to lowest priority.
When a request is coming, the middleware will pass it onto the DefaultRequestEvaluator
engine which determines the request authorization through each of the evaluator. It will let the request come through as soon as the first evaluator returns true
Name | Priority | Description |
---|---|---|
LocalRequestEvaluator | 2000 | This evaluator is utilized to verify whether the current request coming from local request. It is primarily design to simplify the local development by skipping the restriction. It's the first evaluator gets executed by the engine. You can disable this by setting AllowByPassLocalRequest to false in appsettings.json |
EnvironmentByPassEvaluator | 1000 | This evaluator is utilized to verify whether the current request aligns with the value specified in the appsettings.json - WhitelistSiteDefinitions and the Admin UI - General , thereby determining its authorization to access a specific site. |
IgnorePathEvaluator | 900 | This evaluator is utilized to verify whether the current request's resource aligns with the value specified in the appsettings.json - IgnorePaths and the Admin UI - Ignore Path(s) , thereby determining its authorization to access a specific site. |
IpAddressEvaluator | 200 | This evaluator is utilized to verify whether the current request's IP address matches with the value specified in the appsettings.json - AdminSafeIpList and the Admin UI - IP(s) , thereby determining its authorization to access a specific site. |
CidrAddressEvaluator | 100 | This evaluator is utilized to verify whether the current request's IP address matches the value specified in the Admin UI - CIDR(s) , thereby determining its authorization to access a specific site. |
After installing the package IPWhitelist
in your project, you need to ensure the following lines are added to the startup class of your solution:
public void ConfigureServices(IServiceCollection services)
{
// .... other services
services.AddIpWhitelist();
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
// Add IPWhitelist middleware before any other middleware
app.UseIpWhitelist();
// ... other middleware
}
The call to services.AddIpWhitelist()
sets up the dependency injection required by the IPWhitelist
to ensure the solution works as intended. This works by following the Services Extensions pattern defined by Microsoft.
By default, only users in CmsAdmins
, WebAdmins
and Administrators
role can access Admin UI.
If you would like to use you custom policy, you can customize it with AuthorizationPolicyBuilder
when registering the IPWhitelist
.
services.AddIpWhitelist(builder =>
{
builder.RequireRole("mycustomrole");
//builder.AddRequirements()
});
The module has extensive logging. Turn on information logging for the IPWhitelist
namespace in your logging configuration.
"Logging": {
"LogLevel": {
"Default": "Warning",
"IPWhitelist":"Information" // Add this line
}
}
IPWhitelist is a free module. If you like this module and keen to support me, you can get me a coffee :)
I plan to add the following features in the future
- Import / Export IP / CIDR / Ignore Path
- Restrict path(s) by for IP / CIDR (e.g. /Util/login)
- Auditing
- This module is NOT designed to work with
Optimizely CMS 11
or below.