Decoupled setup
Describes how to secure the user interfaces to prevent unauthorized users to access, for a solution with physical separation of servers (decoupled setup).
General considerations
Consider the following for solutions with physically separated servers:
- Have separate servers for the user interfaces and the public site, and have the UI server on an internal protected network.
- Remove access to editing and administration interfaces.
- Remove access to any custom Edit and Admin plug-ins from the public-facing server (for example, by removing the files).
- If you cannot have separate servers, you should have separate bindings in IIS for the public site and the UI and use SSL on the UI binding.
Remove access to editing and administration interfaces
The following description shows how to make the edit or admin user interfaces unavailable on a publicly-facing server.
One alternative to block access to edit and admin on the public application is to define the policies CmsPolicyNames.CmsEdit
and CmsPolicyNames.CmsAdmin
(those policies are checked when edit or admin resources are accessed) so that does not allow any access, like:
var publicFront = _configuration.GetValue<bool ?> ("PublicFront");
if (publicFront.GetValueOrDefault(true)) {
services.Configure<AuthorizationOptions>(o => o.AddPolicy(CmsPolicyNames.CmsAdmin, b => b.RequireAssertion(c => false)));
services.Configure<AuthorizationOptions>(o => o.AddPolicy(CmsPolicyNames.CmsEdit, b => b.RequireAssertion(c => false)));
}
Secure the editing and administration interfaces
Optimizely Content Management System (CMS) allows relocation of the edit and admin folders to custom folder names and configurable HTTP ports, to make it harder for intruders to try to access sensitive resources.
Renaming the UI Path
-
Change the
UIOptions.EditUrl
to a custom path:services.Configure<UIOptions>(o => o.EditUrl = new Uri("~/newuipath/CMS/", UriKind.Relative));
If you want to secure the UI location on another port other than that the site is running on add an absolute URL, including a port other than 80 (or a port the application is running on), as shown.
services.Configure<UIOptions>(o => o.EditUrl = new Uri("https://securehost:8888/newuipath/CMS/", UriKind.Absolute));
SettingÂ
uiUrl
 to a custom host and port is not recommended for multi-site setups because each site has custom domains. Consider having a separate editing server instead and remove access to editing and administration interfaces on a publicly-facing server. -
Change the
RootPath
for protected modules from~/EPiServer/
 toÂ~/newuipath/
like:services.Configure<ProtectedModuleOptions>(o => o.RootPath = "~/newuipath/");
Add support for SSL
UseSecure Sockets Layer (SSL)Â to secure the website or UI folder; see How to Set Up SSL on IIS 7 or later.
Updated 7 months ago