Whitelisting allows you to control which users can see your website content based on their originating IP addresses.
If the environment has whitelist enabled (and the IP is not on the list), the server will respond with a HTTP 403 “Forbidden”.
Examples when whitelist could be used:
- test site access needs to be restricted to a product team
- production site is behind a Web Application Firewall
Whitelists are enforced on the webserver (HTTP traffic on ports 80 and 443), so they cannot fully replace network-level security. Nevertheless they are useful as an additional layer of access control in front of your application.
Silverstripe protects dynamic requests to sites in “test mode” via Basic Authentication by default. We strongly recommend IP whitelists as an additional protection measure, since the built-in authentication does not cover all requests to those environments.
Adding your IP to the whitelist
By default all environments start with whitelist enabled (“deny all” mode), with the default of Silverstripe Operations to be permitted access.
The state of the whitelist will be visible on Silverstripe Cloud, on the “Whitelist” tab of your environment.
Add your IP to the list visible below, and press “Save”. You will receive a prompt asking you to deploy the changes, after which you will be able to access the website.
You can specify network CIDRs (e.g. 10.20.30.0/24) instead of IP addresses too.
Disabling the whitelist (“allow all” mode) means your website will be publicly accessible from the internet regardless of originating IP. If the whitelist is disabled, Cloud will show:
Normally your production servers should have the whitelist disabled.
Note: disabling the whitelist will remove the whitelist altogether, the whitelist can not be recovered after it is disabled by re-enabling.
Environments behind Web Application Firewalls
Environments behind Web Application Firewalls (WAF) should restrict access to the WAF itself. We maintain IP lists for major WAFs such as Incapsula or Cloudflare - contact Service Desk to get this configured.
When your environment has such a list configured, it will appear on the list as a non-editable entry: