IP and HTTP permissions

In IP and HTTP method configuration you can configure which IP addresses are allowed to access an author or public instance. If an IP that is not configured attempts to access the instance, it will be denied access.

The filtering also verifies the HTTP methods that the IP can use when accessing the instance. If an allowed IP attempts to access the instance using a HTTP method that is not configured, it will be denied access.

IP and HTTP method configuration is done via magnolia.server.ipSecurityRules in the MicroProfile Config.

MicroProfile Config
magnolia.server.ipSecurityRules[0].ip=*
magnolia.server.ipSecurityRules[0].methods[0]=GET
magnolia.server.ipSecurityRules[0].methods[1]=POST
magnolia.server.ipSecurityRules[1].ip=127.0.0.1
magnolia.server.ipSecurityRules[1].methods[0]=GET
magnolia.server.ipSecurityRules[1].methods[1]=POST

In the example above, each magnolia.server.ipSecurityRules[<ARRAY_INDEX>] is a rule. You can add any number of rules under magnolia.server.ipSecurityRules. Each rule must have ip and methods properties.

The IP property’s value can be:

  • The * wildcard character, meaning any IP address is allowed.

  • A single IP address, for example 192.168.100.0.

  • A block of IP addresses described using the CIDR (slash) notation, for example 192.168.100.0/22, representing the 1024 IPv4 addresses from 192.168.100.0 to 192.168.103.255.

The methods property can be set to multiple HTTP methods separated by adding more methods rows. Any valid HTTP method can be included in the list.

To create a rule:

  1. Add a new ip configuration line magnolia.server.ipSecurityRules[<ARRAY_INDEX>].ip in the MicroProfile Config.

  2. Add magnolia.server.ipSecurityRules[<ARRAY_INDEX>].methods[<METHOD>INDEX>] property rows below the IP line.

  3. Set the value of the ip property.

  4. Set the method property value(s) to HTTP methods.

To apply changes to a running instance’s configuration, restart the instance. The IpSecurityManager, externalized to the MicroProfile config, ensures no risk of lockout, as it does not rely on JCR accessibility.

You can also allow HEAD methods. HEAD, PUT and DELETE are typically used by services such as the WebDAV or REST modules. This makes is possible to use other tools to edit content on the author instance or to integrate other applications on the public instance.

Feedback

DX Core

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the DX Core docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules