Dev GuideAPI ReferenceUser Guide
HomeDev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideGitHubNuGetDev CommunityDoc feedbackLog In
GitHubNuGetDev CommunityDoc feedback

Note

This article pertains to the Optimizely Content Management System (CMS) 11/Optimizely Customized Commerce 13 versions. For CMS 12/Customized Commerce 14, see [this article](🔗).

## Configure restrictions

Customers often want to add security to their solution by restricting access to environments or views; for example, locking down environments such as _Integration_ and _Preproduction_, or specific interfaces such as the edit or admin view. Access is limited based on a particular or range of IP addresses.

Also, it is common to have a different restrictions in the different environments, such as _Production_ having different settings than _Integration_. 

You can create restrictions by blocking a hostname, and by adding specific IPs to the allow list for your Web App environment in the _web.config_. You can do this for multiple environments in the same _web.config_ by assigning specific rules for each domain, or you can use [Environment configuration transforms](🔗) to achieve different configurations in different environments.

Only the IPs of the CDN nodes are visible to this feature. Therefore, you cannot use IP restrictions to restrict access to environment or views because traffic to the Web Apps flows through the CDN. You can restrict access to environment or views by using rewrite rules instead, which provide more flexibility.

### Settings

  • HTTP\_HOST – The hostname of your Web App as entered by the user browsing it, such as **mywebapp.dxcloud.episerver.net** or **www. mydxcsite.com**. The HTTP\_HOST supports matching by pattern.

    Note

    An added pattern must match all enabled hostnames for the site, not just the Web App name, if you want to make sure the rule covers all the URLs.

  • HTTP\_True\_Client\_IP – The originating IP address of a client connecting to your site through the CDN. Supports matching by pattern.

You can use any server variable or HTTP header when you create these rules. For information about matching the different parts of a URL with these rules, see [Access URL parts from a rewrite rule](🔗) in Microsoft's _URL Rewrite Module Configuration Reference_.

### Example 1: Restrict access to two hosts

The following example restricts access to the two hosts listed (_custom12a3binte.dxcloud.optimizely.net_ and _custom12a3bprep.dxcloud.optimizely.net_) to the specified IP (88.250.74.6) if added to the \<system.webServer> section of _web.config_:


Note
If you want to make sure that no one can access any of these sites, you need to make sure they have no other host names added to them.
A DXP Service site has one default hostname that is accessible from the Internet; for example:

You also need to add any other domains, like `www.mydxcsite.com`, if the rule should cover that also. Because patterns are supported, `prep\\.|-slot\\.` would be a valid pattern for the default hostnames `custom12a3bprep.dxcloud.optimizely.net` and `custom12a3bprep-slot.dxcloud.optimizely.net`.
Note
If the slot-address is blocked, it will prolong the deployment time and prevent manual validation of the slot before go live(s).
### Example 2: Restrict access to hostnames matching patterns
This following example restricts access to all hostnames matching the patterns in the first rule (`\*inte.\*` and \*prep.\*`) to the specified IP **(88.250.74.6)** and the URL `/episerver` for the hostnames `[www.mydxcsite.com\`](🔗) and any hostname that matches the `\*prod.\*` pattern to the specified IP **(88.250.74.6)** if added to the \<system.webServer> section of `web.config`: