Implemented IP-blocking for our DXP environments using rewrite rules in web.config can result in negative side effects with deployments using PAAS portal. The deployment script tries to warm up the site but constantly gets 403 error code because of the rewrite rules. That doesn’t block the further deployment but it is alarming for a person who does the deploy, also longer the deployment verification time.
Resolution
The warmup is not being blocked by their IP restriction. When adding the initializationPage entries in the web.config, the Paas portal also creates a rewrite rule that allows the applicationInitialization while ignoring rewrite rules.
However, the generation of a applicationInitialization section is being blocked by the IP restrictions.
There's some option to fix this issue.
1 Remove the IP restriction. It's not recommended since we perceive the issues/risks with this removal so I will not detail those.
2 Add a custom applicationInitialization section using config transforms. That would be reasonable to fix this. More information can be found in below articles.
https://world.episerver.com/digital-experience-cloud-service/development-considerations/environment-configurations/#ConfigTransforms
https://world.episerver.com/documentation/developer-guides/digital-experience-platform/development-considerations/warm-up-of-sites/
3. Adding an exception for the user-agent "Episerver DXC Automation Engine", however, if anyone knows about that breach, they can create a potential security risk as anyone can set their browser to that user-agent and access the site.
For CMS 12, Asp NetCore doesn't have built-in redirect module, so you will have to add custom RewriteOption as a middleware at Startup.Configure method as guided here:https://docs.microsoft.com/en-us/aspnet/core/fundamentals/url-rewriting?view=aspnetcore-6.0.
For User-Agent restriction, you can create a custom request pipeline that filter requests by the value of HttpContext.Request.Headers["User-Agent"].
Please sign in to leave a comment.