CMS12: Disallow access to CMS UI and Util on front servers (prem)

CMS12: Disallow access to CMS UI and Util on front servers (prem) for real.

Jonas Boman

Vote:

Hi.

Having followed the instructions on https://docs.developers.optimizely.com/content-management-system/docs/decoupled-setup I still have some issues.

Util (login UI) is still accessable. And I am getting some routing errors at initialization when I set an absolute url to different host.
Logging in is possible;
If you somehow could figure out the RootPath (I used a guid for this), CMS UI is not reachable (due to the access restrictions set as per the article mentioned earlier) but addons and Find still accessable.
1. Could I just remove the _Protected folder under modules or do I have to cherry-pick removal of certain folders; such as Find, Visitorgroups and other Add-ons I might have added

Could I remove the login all together?

#331104

Oct 08, 2024 8:54

Binh Nguyen Thi

Vote:

Hi Jonas,

If you want to prevent to access login, edit mode, admin mode completely then I suggest you other simple solution as following:

var publicFront = configuration.GetValue<bool?>("PublicFront");
if (publicFront.GetValueOrDefault(true))
{
    app.Use(async (context, requestDelegate) =>
    {
        if (context.Request.Path.StartsWithSegments("/util", StringComparison.OrdinalIgnoreCase)
        || context.Request.Path.StartsWithSegments("/episerver", StringComparison.OrdinalIgnoreCase))
        {
            context.Response.StatusCode = (int)HttpStatusCode.Forbidden;
            await context.Response.WriteAsync("Forbidden: Access Denied");
            return;
        }
        await requestDelegate(context);
    });
}

#331173

Oct 09, 2024 10:59

Jonas Boman - Oct 09, 2024 11:08

Good suggestion, thanks.