Blacklist or whitelist IP addresses

How to get very granular conrtrol over which IP addresses can access your application

Access Control

By default anyone can access your WEM application. However, this is not always desirable. Some examples:

  • you may want to do acceptance testing in the staging area, but limit access only to people within your organization;

  • you want to block specific IP addresses from accessing your application;

  • your application is only available to certain people or organizations;

  • etc.

All of this can be controlled.

To go to the access control functionality, open the project settings page. There you will find Access control rulesoption in the toolbar. When Access control rules is selected, you are presented with a list of all defined access control rules that apply to your application. Here you can add/delete/edit access control rules. You can specify individual IP addresses or ranges of IP addresses that you want to whitelist of blacklist (allow access or deny access). And you can even specify whether the rule should apply to e.g. page requests or OData request. In other words: you have great control over access to your application.

It is important to understand that a rule with a higher priority takes precedence over rules with a lower priority. Therefore the order of the rules is crucial: how higher the rules is on the list of rules, the higher the priority. By default, everyone has access to the application.

When you create a rule, you have the following options:

  • Name: – The name you want to give the rule

  • Start IP address – The start of an IP range (inclusive).

  • End IP address – The end of an IP range (inclusive).

  • Mode – This is either Allow access or Deny access. This applies to the specified IP range, so here you specify whether the IP addresses are allowed to access the application or not.

  • Portal (optional) – By default the rule applies to all portals. However, you can limit this rule to a specific portal.

  • Runtime mode – Possible values: All runtime modes, Preview, Staging and Live. When specified, this rule only applies to the specified runtime mode.

  • Endpoints – Possible values: All, Page requests, Webservices, Odata.

Since the default allows access to everyone, adding rules to restrict access for certain IP ranges is basically blacklisting these addresses.

A common scenario would be to grant access to a limited list of known IP-addresses. To accomplish this, you need to add rules that specify the IP ranges that should be allowed access. Finally, you need to add a rule that denies access to everyone (else). But remember: the order of the rules is important!

So to create a plan to have only some ip-addresses or ip-ranges allowed access and all others denied access, make sure that: 1. There is at least one rule that denies access and it is the last rule in the list; 2. All Allow rules should be placed before the Deny all.

Without a deny-rule, everyone has access. With a deny-all rule, every rule that comes after this one will have no effect.

Last updated