1 Introduction
Your app is accessible over the internet - but you may not want everyone to be able to access it. By configuring access restrictions, you have fine-grained control over external access to your application.
You can apply restrictions to the top level of the application URL (/), and also to more specific paths (for example, /ws/ or /odata/). This allows you to, for example, open up web services without giving general users access to the app itself. Presets are available to simplify common requirements, such as allowing or denying all access. In addition, custom profiles can be created using IP range filters and client certificate authorities (CAs).
2 Access Restriction Profiles
You can specify a number of different access restriction profiles for your application. You can give each of these a name so that you can describe its purpose.
Click New to create a new access restriction profile. Select an existing profile and click Edit to modify it, or Delete to delete it. You can also click Clone to make a copy of an existing profile.
See below for information on setting up access restriction profiles for Mendix Cloud v4 and v3.
When configuring an access restriction profile, you need to bear the following things in mind:
- Access restriction profiles are configured at the application level and they can be reused in all the environments (test, acceptance, production) of an app
- Access restriction profiles can contain any number of IPv4 address ranges, client CAs, or both
- If an access restriction profile contains both IP address ranges and client CAs, then any match on either the IP range or the client certificate will grant access
2.1 Access Restriction Profiles for Mendix Cloud V4
When you create a new access restriction profile, you will first be asked to enter the name of your profile.
Once your profile has a name, or if you are editing an existing profile, you will see the access restriction profile editing page.
Add IP ranges and certificate profiles as described below, then click Save to save the access restriction profile.
2.1.1 Changing the Profile Name
To change the name of your access restriction profile, click the Edit icon next to the name of the profile and enter the new name.
2.1.2 Specifying TLS Client Certificate Verification
Click Create to create a new certificate profile, or select an existing profile and click Edit. If you are creating a new certificate profile, you will first be asked to enter the name of your profile. You can also delete an existing certificate profile by selecting a profile and clicking Delete.
To change the name of a certificate profile, click the Edit icon next to the name and enter the new name.
Upload your CA from a file in .pem format by clicking Upload Certificate Authority. Alternatively, click Enter Manually to open an editor where you can paste your CA.
Your CA must contain a single root certificate and can have multiple intermediate certificates. It should not contain client certificates.
Once the CA is uploaded, you will see a tree containing the root certificate and any intermediate certificates included in the CA. When you upload a CA, the last certificate in the CA will be selected by default.
Select the check box next to each intermediate or root certificate you want to use. Client certificates will be accepted if they are signed by any checked certificate. If more than one certificate in a branch is checked (for example the root certificate and an intermediate certificate) the client certificate will be accepted if it is signed by any of the checked certificates.
If you do not select any certificates then all the certificates will be valid.
Click Save to save the current certificate profile.
2.1.3 Specifying IP Ranges
You can specify a number of different IP ranges. Click New to add a new one, or use the Edit or Delete button to modify an existing IP range.
For each IP range, you can specify a Name for the range, and a range of addresses. Mendix Cloud v4 supports both IPv4 and IPv6 format addresses.
2.2 Access Restriction Profiles for Mendix Cloud V3
Our Mendix Cloud V3 is deprecated, currently in a grace period, and will be retired at the beginning of Q3 2021. To continue running your licensed Mendix application on the Mendix Cloud, you need to migrate your app to Mendix Cloud V4. To learn more about Mendix Cloud V4 and how to migrate from Mendix Cloud V3, please visit the following page: Migrate to Mendix Cloud V4.
For Mendix Cloud v3, you have fewer options for setting up an access restriction profile.
2.2.1 Changing the Profile Name
You can change the profile name by typing a new name into the Description field.
2.2.2 Specifying IP Ranges
You can specify a number of different IP ranges. Click New to add a new one, or use the Edit or Delete button to modify an existing IP range.
The IP range filter option is not available in Mendix Cloud v3 environments hosted outside the Netherlands
For each IP range, you can specify a Name for the range, and a range of addresses. Mendix Cloud v3 supports both IPv4 or IPv6 format addresses.
2.2.3 Specifying TLS Client Certificate Verification
For Mendix Cloud v3, you can only specify one CA for your access restriction profile.
The client certificate CA in all active profiles must be identical (in other words, it is only possible to use a single CA for the entire application environment).
Only Root CA verification is supported. Any client certificate with a valid path to the Root CA will be allowed access. Certificate mapping is not supported.
Click Upload to upload a new client CA , or click Edit or Delete to modify the existing one.
Copy and paste your CA into the editor. It is not possible to create the CA by uploading a file.
3 Applying a Restriction to an Application Environment
To apply a restriction to a specific application environment, follow these steps:
Open the Environment page for your app in the Developer Portal.
Click the Details of the desired environment.
Go to the Network tab.
The section Path Based Access Restrictions allows for applying access restrictions to a single environment.
- The top level path
/restricts access to the entire application - The settings for specific paths override the implicitly inherited profile for the top level
- Besides being able to apply a customized access restriction profile, there are also presets available for simply allowing or denying all access
3.1 Default Settings
These are the default settings:
- When deploying a deployment package to an environment using the Deploy or Transport functionality, paths representing known functionality in the Mendix version that is used will automatically be added to the list of paths
- All paths ending in
-docwill have a preset Deny all access profile set by default - All the remaining paths will have no restriction applied by default
4 Use Cases for Access Restrictions
The two scenarios in which you can use access restrictions are described below.
4.1 Example Scenario 1 – Restricting Access Based on an IP Range
An example scenario in which a basic IP range restriction could be used is when an app running in the Mendix Cloud is only to be accessed from a single office. The interactive web browser interface of the app should only be accessible to employees in the office of the company running the app. From the rest of the internet, the login screen of the application should not even be visible.
To restrict access to the app to an IP range, follow these steps:
Go to the Developer Portal and select your app.
Go to the Access Restriction Profiles tab of the Environments page.
Create an access restriction profile.
Add one or more IP ranges to the access restriction profile.
Save the access restriction profile.
Go to the Deploy tab of the Environments page, and click the Details of the desired environment.
Select the Network tab of an application environment.
Edit the top level path
/.Any path below this path which does not have an explicit restriction will inherit this access restriction profile.Select Custom Profile for Client Certificates and/or IP ranges as the New Restriction Type.
Select your access restriction profile as the New Restriction Profile, and Save it.
4.2 Example Scenario 2 – Back-End Administration with Third-Party Web Service Integrations
This second scenario is an extended version of the first scenario.
The app that was protected with the IP range restriction now starts to provide web service integrations that will be called by third-parties. Since an IP range restriction is in place, the web service endpoints are not reachable by external parties.
By adding an additional access restriction profile and applying it to the /ws/ path only, you can specifically grant access to the web service endpoints.
Additionally, the company has decided to use TLS client certificates so they do not have to manage lists of IP ranges for each external third party.
To add this additional access restriction profile, follow these steps:
Go to the Access Restriction Profiles tab of the Environments page.
Create a New access restriction profile.
Upload the certificate of the internal CA that is used to sign the client certificates.
Save the new access restriction profile.
Go to the Deploy tab of the Environments page, and click the Details of the desired environment.
Select the Network tab of an application environment.
Edit the
/ws/path of the environment to apply the new access restriction profile. For the selected path (/ws/), the default profile (for the top level/) will now be overridden.
If the /ws/ path should still be reachable from the office location without using a client certificate, then add the IP ranges of the office location to the profile used for /ws/.