Restrict Access for Incoming Requests

Last update: Edit

1 Introduction

Your app is accessible over the internet - but you may not want everyone to be able to access it. By configuring access restrictions, you have fine-grained control over external access to your application.

You can apply restrictions to the top level of the application URL (/), and also to more specific paths (for example, /ws/ or /odata/). This allows you to, for example, open up web services without giving general users access to the app itself. Presets are available to simplify common requirements, such as allowing or denying all access. In addition, custom profiles can be created using IP range filters and client certificate authorities (CAs).

2 Access Restriction Profiles

You can specify a number of different access restriction profiles for your application. You can give each of these a name so that you can describe its purpose.

Click New to create a new access restriction profile. Select an existing profile and click Edit to modify it, or Delete to delete it. You can also click Clone to make a copy of an existing profile.

See below for information on setting up access restriction profiles for Mendix Cloud v4 and v3.

When configuring an access restriction profile, you need to bear the following things in mind:

  • Access restriction profiles are configured at the application level and they can be reused in all the environments (test, acceptance, production) of an app
  • Access restriction profiles can contain any number of IPv4 address ranges, client CAs, or both
  • If an access restriction profile contains both IP address ranges and client CAs, then any match on either the IP range or the client certificate will grant access

2.1 Access Restriction Profiles for Mendix Cloud V4

When you create a new access restriction profile, you will first be asked to enter the name of your profile.

Once your profile has a name, or if you are editing an existing profile, you will see the access restriction profile editing page.

Add IP ranges and certificate profiles as described below, then click Save to save the access restriction profile.

2.1.1 Changing the Profile Name

To change the name of your access restriction profile, click the Edit icon next to the name of the profile and enter the new name.

2.1.2 Specifying TLS Client Certificate Verification

Click Create to create a new certificate profile, or select an existing profile and click Edit. If you are creating a new certificate profile, you will first be asked to enter the name of your profile. You can also delete an existing certificate profile by selecting a profile and clicking Delete.

To change the name of a certificate profile, click the Edit icon next to the name and enter the new name.

Upload your CA from a file in .pem format by clicking Upload Certificate Authority. Alternatively, click Enter Manually to open an editor where you can paste your CA.

Once the CA is uploaded, you will see a tree containing the root certificate and any intermediate certificates included in the CA. When you upload a CA, the last certificate in the CA will be selected by default.

Select the check box next to each intermediate or root certificate you want to use. Client certificates will be accepted if they are signed by any checked certificate. If more than one certificate in a branch is checked (for example the root certificate and an intermediate certificate) the client certificate will be accepted if it is signed by any of the checked certificates.

Click Save to save the current certificate profile.

2.1.3 Specifying IP Ranges

You can specify a number of different IP ranges. Click New to add a new one, or use the Edit or Delete button to modify an existing IP range.

For each IP range, you can specify a Name for the range, and a range of addresses. Mendix Cloud v4 supports only IPv4 addresses.

2.2 Access Restriction Profiles for Mendix Cloud V3

For Mendix Cloud v3, you have fewer options for setting up an access restriction profile.

2.2.1 Changing the Profile Name

You can change the profile name by typing a new name into the Description field.

2.2.2 Specifying IP Ranges

You can specify a number of different IP ranges. Click New to add a new one, or use the Edit or Delete button to modify an existing IP range.

For each IP range, you can specify a Name for the range, and a range of addresses. Mendix Cloud v3 supports both IPv4 or IPv6 format addresses.

2.2.3 Specifying TLS Client Certificate Verification

Click Upload to upload a new client CA , or click Edit or Delete to modify the existing one.

Copy and paste your CA into the editor. It is not possible to create the CA by uploading a file.

3 Applying a Restriction to an Application Environment

To apply a restriction to a specific application environment, follow these steps:

  1. Open the Environment page for your app in the Developer Portal.

  2. Click the Details of the desired environment.

  3. Go to the Network tab.

  4. The section Path Based Access Restrictions allows for applying access restrictions to a single environment.

3.1 Default Settings

These are the default settings:

  • When deploying a deployment package to an environment using the Deploy or Transport functionality, paths representing known functionality in the Mendix version that is used will automatically be added to the list of paths
  • All paths ending in -doc will have a preset Deny all access profile set by default
  • All the remaining paths will have no restriction applied by default

4 Use Cases for Access Restrictions

The two scenarios in which you can use access restrictions are described below.

4.1 Example Scenario 1 – Restricting Access Based on an IP Range

An example scenario in which a basic IP range restriction could be used is when an app running in the Mendix Cloud is only to be accessed from a single office. The interactive web browser interface of the app should only be accessible to employees in the office of the company running the app. From the rest of the internet, the login screen of the application should not even be visible.

To restrict access to the app to an IP range, follow these steps:

  1. Go to the Developer Portal and select your app.

  2. Go to the Access Restriction Profiles tab of the Environments page.

  3. Create an access restriction profile.

  4. Add one or more IP ranges to the access restriction profile.

  5. Save the access restriction profile.

  6. Go to the Deploy tab of the Environments page, and click the Details of the desired environment.

  7. Select the Network tab of an application environment.

  8. Edit the top level path /.

  9. Select Custom Profile for Client Certificates and/or IP ranges as the New Restriction Type.

  10. Select your access restriction profile as the New Restriction Profile, and Save it.

4.2 Example Scenario 2 – Backend Administration with Third-Party Web Service Integrations

This second scenario is an extended version of the first scenario.

The app that was protected with the IP range restriction now starts to provide web service integrations that will be called by third-parties. Since an IP range restriction is in place, the web service endpoints are not reachable by external parties.

By adding an additional access restriction profile and applying it to the /ws/ path only, you can specifically grant access to the web service endpoints.

Additionally, the company has decided to use TLS client certificates so they do not have to manage lists of IP ranges for each external third party.

To add this additional access restriction profile, follow these steps:

  1. Go to the Access Restriction Profiles tab of the Environments page.

  2. Create a New access restriction profile.

  3. Upload the certificate of the internal CA that is used to sign the client certificates.

  4. Save the new access restriction profile.

  5. Go to the Deploy tab of the Environments page, and click the Details of the desired environment.

  6. Select the Network tab of an application environment.

  7. Edit the /ws/ path of the environment to apply the new access restriction profile. For the selected path (/ws/), the default profile (for the top level /) will now be overridden.

5 Read More