HomeDev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideGitHubNuGetDev CommunityDoc feedbackLog In
GitHubNuGetDev CommunityDoc feedback

Decoupled setup

Describes how to secure the user interfaces to prevent unauthorized users to access, for a solution with physical separation of servers (decoupled setup).

General considerations

Consider the following for solutions with physically separated servers:

  • Have separate servers for the user interfaces and the public site, and have the UI server on an internal protected network.
  • Remove access to editing and administration interfaces.
  • Remove access to any custom Edit/Admin plug-ins from the public facing server (for example by removing the files).
  • If you cannot have separate servers, you should have separate bindings in IIS for the public site and the UI, and use SSL on the UI-binding.

Remove access to editing and administration interfaces

The following description shows how to make the edit/admin user interfaces unavailable on a publicly facing server.

One alternative to block access to edit and admin on the public application is to define the policies CmsPolicyNames.CmsEdit and CmsPolicyNames.CmsAdmin (those policies are checked when edit or admin resources are accessed) so that does not allow any access, like:

var publicFront = _configuration.GetValue<bool?>("PublicFront");
  if (publicFront.GetValueOrDefault(true))
    services.Configure<AuthorizationOptions>(o => o.AddPolicy(CmsPolicyNames.CmsAdmin, b => b.RequireAssertion(c => false)));
    services.Configure<AuthorizationOptions>(o => o.AddPolicy(CmsPolicyNames.CmsEdit, b => b.RequireAssertion(c => false)));

Secure the editing and administration interfaces

Optimizely Content Management System (CMS) allows relocation of the edit and admin folders to custom folder names and configurable HTTP ports, to make it harder for intruders to try to access sensitive resources.

Renaming the UI Path

  1. Change the UIOptions.EditUrl to a custom path:

    services.Configure<UIOptions>(o => o.EditUrl = new Uri("~/newuipath/CMS/", UriKind.Relative));

    If you want to secure the UI location on another port other than that the site is running on, add an absolute URL including a port other than 80 (or a port the application is running on) as shown.

    services.Configure<UIOptions>(o => o.EditUrl = new Uri("https://securehost:8888/newuipath/CMS/", UriKind.Absolute));

    Setting uiUrl to a custom host and port is not recommended for multi-site setups since each site have custom domains. Consider having a separate editing server instead and remove access to editing and administration interfaces on publicly facing server.

  2. Change the RootPath for protected modules from ~/EPiServer/ to ~/newuipath/ like:

    services.Configure<ProtectedModuleOptions>(o => o.RootPath = "~/newuipath/");

Add support for SSL

Use SSL (Secure Sockets Layer) to secure the website and/or UI folder; see How to Set Up SSL on IIS 7 or later.