IPWhitelist 1.0.0-beta.5
dotnet add package IPWhitelist --version 1.0.0-beta.5
NuGet\Install-Package IPWhitelist -Version 1.0.0-beta.5
<PackageReference Include="IPWhitelist" Version="1.0.0-beta.5" />
paket add IPWhitelist --version 1.0.0-beta.5
#r "nuget: IPWhitelist, 1.0.0-beta.5"
// Install IPWhitelist as a Cake Addin #addin nuget:?package=IPWhitelist&version=1.0.0-beta.5&prerelease // Install IPWhitelist as a Cake Tool #tool nuget:?package=IPWhitelist&version=1.0.0-beta.5&prerelease
IPWhitelist
This free module is designed for blocking/restricting access on a per site basis for Optimizely CMS 12+
solution hosted on Optimizely DXP with the following features
- Whitelist single IP address per site basis
- Whitelist a range of IP addresses via CIDR per site basis
- Whitelist known paths (e.g. /episerver/health)
How to start
Install the add-on nuget package into your Optimizely Cms Web project, then make two lines of code change in your Startup
file (see details in <a href="#configuration">Configuration
</a> section). Finally, rebuild and re-run your site should be working as normal without noticing any change.
How to configure
Once the package has been installed and configured, you have a few options to turn on the IP restriction.
Caution:
By default, all sites are accessible after installing the module, you will need to explicitly turn off access for each site via the configuration settings or Admin UI.
Option 1 - Block site access in appsettings.json
Name | Default value | Description |
---|---|---|
AllowByPassLocalRequest | true | Get or set the flag which decides whether local request should be allowed to access. true by default. |
WhitelistSiteDefinitions | Get or set a list of WhitelistSiteDefinition that are used to decide whether a specific site should allow to access. |
|
AdminSafeIpList | Get or set a list of Ips (e.g. Company's VPN IP, static IP) that allows to bypass the IpWhitelist module check. | |
IgnorePaths | /episerver/health | Get or set a list of paths that allows to ingore the check by IpWhitelist module. ["/episerver/health"] by default. |
Example of configuration
"WhitelistSiteOptions": {
"AllowByPassLocalRequest": false,
"WhitelistSiteDefinitions": [
{
"SiteId": "e68c3e92-c76c-44c0-9196-338d41611e1c",
"AllowAccess": true
}
],
"AdminSafeIpList": ["10.1.1.1"],
"IgnorePaths": ["/episerver/health"]
}
Option 2 - Block site access in Admin UI
You can control a specific site access from General menu (see screenshot below)
Option 3 - Block site access programmatically
You can configure and overrides the value specified in appsettings programmatically by supplying WhitelistSiteOptions
services.AddIpWhitelist(options =>
{
options.WhitelistSiteDefinitions = new List<WhitelistSiteDefinition>
{
new() { SiteId = "e68c3e92-c76c-44c0-9196-338d41611e1c", AllowAccess = false }
};
options.AllowByPassLocalRequest = true;
});
How it works
There are 5 default evaluators that implement IRequestEvaluator
interface. All requests will be processed sequentially through each evaluator based on their priority level, starting from the highest to lowest priority.
When a request is coming, the middleware will pass it onto the DefaultRequestEvaluator
engine which determines the request authorization through each of the evaluator. It will let the request come through as soon as the first evaluator returns true
Name | Priority | Description |
---|---|---|
LocalRequestEvaluator | 2000 | This evaluator is utilized to verify whether the current request coming from local request. It is primarily design to simplify the local development by skipping the restriction. It's the first evaluator gets executed by the engine. You can disable this by setting AllowByPassLocalRequest to false in appsettings.json |
EnvironmentByPassEvaluator | 1000 | This evaluator is utilized to verify whether the current request aligns with the value specified in the appsettings.json - WhitelistSiteDefinitions and the Admin UI - General , thereby determining its authorization to access a specific site. |
IgnorePathEvaluator | 900 | This evaluator is utilized to verify whether the current request's resource aligns with the value specified in the appsettings.json - IgnorePaths and the Admin UI - Ignore Path(s) , thereby determining its authorization to access a specific site. |
IpAddressEvaluator | 200 | This evaluator is utilized to verify whether the current request's IP address matches with the value specified in the appsettings.json - AdminSafeIpList and the Admin UI - IP(s) , thereby determining its authorization to access a specific site. |
CidrAddressEvaluator | 100 | This evaluator is utilized to verify whether the current request's IP address matches the value specified in the Admin UI - CIDR(s) , thereby determining its authorization to access a specific site. |
Configuration
Startup.cs
After installing the package IPWhitelist
in your project, you need to ensure the following lines are added to the startup class of your solution:
public void ConfigureServices(IServiceCollection services)
{
// .... other services
services.AddIpWhitelist();
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
// Add IPWhitelist middleware before any other middleware
app.UseIpWhitelist();
// ... other middleware
}
The call to services.AddIpWhitelist()
sets up the dependency injection required by the IPWhitelist
to ensure the solution works as intended. This works by following the Services Extensions pattern defined by Microsoft.
Module access control
By default, only users in CmsAdmins
, WebAdmins
and Administrators
role can access Admin UI.
If you would like to use you custom policy, you can customize it with AuthorizationPolicyBuilder
when registering the IPWhitelist
.
services.AddIpWhitelist(builder =>
{
builder.RequireRole("mycustomrole");
//builder.AddRequirements()
});
Troubleshooting
The module has extensive logging. Turn on information logging for the IPWhitelist
namespace in your logging configuration.
"Logging": {
"LogLevel": {
"Default": "Warning",
"IPWhitelist":"Information" // Add this line
}
}
Support
IPWhitelist is a free module. If you like this module and keen to support me, you can get me a coffee 😃
<a href="https://www.buymeacoffee.com/javafun"><img src="https://img.buymeacoffee.com/button-api/?text=Buy me a coffee&emoji=☕&slug=javafun&button_colour=FF5F5F&font_colour=ffffff&font_family=Comic&outline_colour=000000&coffee_colour=FFDD00" /></a>
Limitations
- This module is NOT designed to work with
Optimizely CMS 11
or below.
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net6.0 is compatible. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
-
net6.0
- EPiServer.CMS.AspNetCore.Mvc (>= 12.4.0 && < 13.0.0)
- EPiServer.CMS.Core (>= 12.4.0 && < 13.0.0)
- EPiServer.CMS.UI.Core (>= 12.4.0 && < 13.0.0)
- Htmx (>= 1.7.0)
- Htmx.TagHelpers (>= 1.7.0)
- X.PagedList (>= 8.4.7)
- X.PagedList.Mvc.Core (>= 8.4.7)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
Version | Downloads | Last updated |
---|---|---|
1.0.0-beta.5 | 2,075 | 3/20/2024 |
1.0.0-beta.4 | 74 | 3/18/2024 |
1.0.0-beta.3 | 67 | 3/12/2024 |
1.0.0-beta.2 | 63 | 3/7/2024 |
1.0.0-beta.1 | 69 | 3/6/2024 |