Restrict Access for Incoming Requests

Last modified: August 30, 2024

Introduction

Your app is accessible over the internet—but you may not want everyone to be able to access it. For fine-grained control over external access to your application, configure the access restrictions.

You can apply restrictions to the top level of the application URL (/). You can also apply restrictions to more specific paths (such as /ws/ or /odata/). This allows you to, for example, open up web services without giving general users access to the app itself. Presets are available to simplify common requirements, such as allowing or denying all access. In addition, custom profiles can be created using IP range filters and client certificate authorities (CAs).

Access Restriction Profiles

You can specify multiple different access restriction profiles for your application. You can give each of these a name that describes its purpose.

Click New to create a new access restriction profile. Select an existing profile and click Edit to modify it, Clone to copy it, or Delete to delete it.

The Access Restriction Profiles tab

When configuring an access restriction profile, keep the following considerations in mind:

  • Access restriction profiles are configured at the application level. They can be reused in all the environments (test, acceptance, production) of an app.
  • Access restriction profiles can contain any number of IPv4 address ranges, client CAs, or both.
  • If an access restriction profile contains both IP address ranges and client CAs, then any match on either the IP range or the client certificate will grant access.

Configuring Access Restriction Profiles

To view the page where you can configure an access restriction profile, click New to create a new profile or Edit to modify an existing profile.

The access restriction profile editing page

Add IP ranges and certificate profiles as described below, then click Save to save the access restriction profile.

Changing the Profile Name

To change the name of your access restriction profile, click Edit next to the name of the profile and enter the new name.

Specifying TLS Client Certificate Verification

Click Create to create a new TLS certificate profile, or select an existing profile and click Edit. If you are creating a new certificate profile, you will first be asked to enter the name of your profile. You can also delete an existing certificate profile by selecting a profile and clicking Delete.

To change the name of a certificate profile, click Edit next to the name and enter the new name.

Upload your CA from a file in PEM format by clicking Upload Certificate Authority. Alternatively, click Enter Manually to open an editor where you can paste your CA.

Once the CA is uploaded, you will see a tree containing the root certificate and any intermediate certificates included in the CA. When you upload a CA, the last certificate in the CA will be selected by default.

Certificate authority profile

Select the checkbox next to each intermediate or root certificate you want to use. Client certificates will be accepted if they are signed by any selected certificate. If you select more than one certificate in a branch, the client certificate will be accepted if it is signed by any of the selected certificates.

Click Save to save the current certificate profile.

Specifying IP Ranges

You can specify a number of different IP ranges. Click Create to add a new IP range, or use Edit or Delete to modify an existing IP range.

For each IP range, you can specify a Name for the range and a range of addresses. Mendix Cloud supports both IPv4 and IPv6 format addresses.

Edit IP Range dialog box

Applying a Restriction to an Application Environment

To apply a restriction to a specific application environment, follow these steps:

  1. From Apps, go to the app’s Environments page.
  2. Click Details ( ) on the desired environment.
  3. Go to the Network tab.
  4. The Path Based Access Restrictions section allows for applying access restrictions to a single environment.

Default Settings

These are the default settings:

  • When deploying a deployment package to an environment using the Deploy or Transport functionality, paths representing known functionality in the Mendix version that is used are automatically added to the list of paths
  • All paths ending in -doc have a preset Deny all access profile set by default
  • All the remaining paths have no restriction applied by default

Use Cases for Access Restrictions

Two scenarios in which you can use access restrictions are described below.

Example Scenario 1 – Restricting Access Based on an IP Range

Consider this example scenario in which a basic IP range restriction could be used: You have an app running in Mendix Cloud that is only to be accessed from a single office. The interactive web browser interface of the app should only be accessible to employees in the office of the company running the app. From the rest of the internet, the login screen of the application should not even be visible.

To restrict access to the app to an IP range, follow these steps:

  1. From Apps, go to the app’s Environments page.

  2. Switch to the Access Restriction Profiles tab.

    The Access Restriction Profiles tab
  3. Create an access restriction profile.

  4. Add one or more IP ranges to the access restriction profile.

    IP ranges added to the access restriction profile
  5. Save the access restriction profile.

  6. Go to the Deploy tab of the Environments page. Click Details ( ) on the desired environment.

  7. Switch to the Network tab.

  8. Select the top-level path (/) and click Edit.

    The Edit Path Range Access Restriction dialog box
  9. Select Custom Profile for Client Certificates and/or IP ranges as the New Restriction Type.

  10. Select your access restriction profile as the New Restriction Profile, and save it.

Example Scenario 2 – Back-End Administration with Third-Party Web Service Integrations

This second scenario is an extended version of the first scenario.

The app that was protected with the IP range restriction now starts to provide web service integrations that will be called by third parties. Because an IP range restriction is in place, the web service endpoints are not reachable by external parties.

By adding an additional access restriction profile and applying it to only the /ws/ path, you can specifically grant access to the web service endpoints.

Additionally, the company has decided to use TLS client certificates so they do not have to manage lists of IP ranges for each external third party.

To add this additional access restriction profile, follow these steps:

  1. Go to the Access Restriction Profiles tab of the Environments page.

    The Access Restriction Profiles tab
  2. Create a new access restriction profile.

  3. Upload the certificate of the internal CA that is used to sign the client certificates.

  4. Save the new access restriction profile.

  5. Go to the Deploy tab of the Environments page. Click Details ( ) on the desired environment.

  6. Switch to the Network tab.

  7. Edit the /ws/ path of the environment to apply the new access restriction profile. This overrides the default profile (for the top level /) for the selected path (/ws/).

    The Edit Path Range Access Restriction dialog box

Read More