1 Introduction
Your app is accessible over the internet - but you may not want everyone to be able to access it. By configuring access restrictions, you have fine-grained control over external access to your application.
You can apply restrictions to the top level of the application URL (/), and also to more specific paths (for example, /ws/ or /odata/). This allows you to, for example, open up web services without giving general users access to the app itself. Presets are available to simplify common requirements, such as allowing or denying all access. In addition, custom profiles can be created using IP range filters and a client certificate authority.
2 Access Restriction Profile Concepts
When configuring an access restriction profile, you need to bear the following things in mind:
Access restriction profiles are configured at the application level and they can be reused in all the environments (test, acceptance, production) of an app
Access restriction profiles can contain any number of IPv4 and IPv6 address ranges, a client certificate authority, or both
If an access restriction profile contains both IP address ranges and a client certificate authority, then any match on either the IP range or the client certificate will grant access
Known Limitations
The IP range filter option is not available in Mendix Cloud v3 environments hosted outside the Netherlands
When using client certificate restrictions, the client certificate Certificate Authority (CA) in all active profiles must be identical (in other words, it is only possible to use a single CA for the entire application environment)
3 Applying a Restriction to an Application Environment
To apply a restriction to a specific application environment, follow these steps:
Open the Environment page for your app in the Developer Portal.
Click the Details of the desired environment.
Go to the Network tab.
The section Path Based Access Restrictions allows for applying access restrictions to a single environment.
- The top level path
/restricts access to the entire application - The settings for specific paths override the implicitly inherited profile for the top level
- Besides being able to apply a customized access restriction profile, there are also presets available for simply allowing or denying all access
4.1 Default Settings
These are the default settings:
- When deploying a deployment package to an environment using the Deploy or Transport functionality, paths representing known functionality in the Mendix version that is used will automatically be added to the list of paths
- All paths ending in
-docwill have a preset Deny all access profile set by default - All the remaining paths will have no restriction applied by default
5 Use Cases for Access Restrictions
The two scenarios in which you can use access restrictions are described below.
5.1 Example Scenario 1 – Restricting Access Based on an IP Range
An example scenario in which a basic IP range restriction could be used is when an app running in the Mendix Cloud is only to be accessed from a single office. The interactive web browser interface of the app should only be accessible to employees in the office of the company running the app. From the rest of the internet, the login screen of the application should not even be visible.
To restrict access to the app to an IP range, follow these steps:
Go to the Developer Portal and select your app.
Go to the Access Restriction Profiles tab of the Environments page.
Create an access restriction profile.
Add one or more IP ranges to the access restriction profile.
Save the access restriction profile.
Go to the Deploy tab of the Environments page, and click the Details of the desired environment.
Select the Network tab of an application environment.
Edit the top level path
/.Any path below this path which does not have an explicit restriction will inherit this access restriction profile.Select Custom Profile for Client Certificates and/or IP ranges as the New Restriction Type.
Select your access restriction profile as the New Restriction Profile, and Save it.
5.2 Example Scenario 2 – Backend Administration with Third-Party Web Service Integrations
This second scenario is an extended version of the first scenario.
The app that was protected with the IP range restriction now starts to provide web service integrations that will be called by third-parties. Since an IP range restriction is in place, the web service endpoints are not reachable by external parties.
By adding an additional access restriction profile and applying it to the /ws/ path only, you can specifically grant access to the web service endpoints.
Additionally, the company has decided to use TLS client certificates so they do not have to manage lists of IP ranges for each external third party.
To add this additional access restriction profile, follow these steps:
Go to the Access Restriction Profiles tab of the Environments page.
Create a New access restriction profile.
Upload the certificate of the internal certificate authority that is used to sign the client certificates.
Save the new access restriction profile.
Go to the Deploy tab of the Environments page, and click the Details of the desired environment.
Select the Network tab of an application environment.
Edit the
/ws/path of the environment to apply the new access restriction profile. For the selected path (/ws/), the default profile (for the top level/) will now be overridden.
If the /ws/ path should still be reachable from the office location without using a client certificate, then add the IP ranges of the office location to the profile used for /ws/.