Disable backend ui in web farm / load balanced environment
We have three front end web servers and a backend staging/editing server. I do not want the Sitefinity backend to be available on the front end web servers so I followed these instructions:
docs.sitefinity.com/.../disable-the-backend-ui
This works fine, except after I go and setup the web server list in the load balancing settings, the editing server can not reach the front end servers to update their caches after a page is published because the web service needed seems to be adhering to the "disableBackendUI" flag. How can you use this "disableBackendUI" flag in a load balanced environment?
Here is the error that is logged:
06/10/2016 15:16:01
Type : System.Exception, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Message : Error sending system message to URL: sitefinity1/.../HandleMessages; HTTP method: PUT; Host: null
Source :
Help link :
Data : System.Collections.ListDictionaryInternal
TargetSite :
HResult : -2146233088
Stack Trace : The stack trace is unavailable.
Additional Info:
MachineName : XXXXXXXXXX
TimeStamp : 6/10/2016 8:16:01 PM
FullName : Telerik.Sitefinity.Utilities, Version=9.1.6110.0, Culture=neutral, PublicKeyToken=b28c218413bdf563
AppDomainName : /LM/W3SVC/45/ROOT-2-131100628330444576
ThreadIdentity :
WindowsIdentity : IIS APPPOOL\XXXXXXXXXX
Inner Exception
---------------
Type : System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Message : The remote server returned an error: (404) Not Found.
Source : System
Help link :
Status : ProtocolError
Response : System.Net.HttpWebResponse
Data : System.Collections.ListDictionaryInternal
TargetSite : System.IAsyncResult BeginGetResponse(System.AsyncCallback, System.Object)
HResult : -2146233079
Stack Trace : at System.Net.HttpWebRequest.BeginGetResponse(AsyncCallback callback, Object state)
at Telerik.Sitefinity.LoadBalancing.WebServiceSystemMessageSender.WithExceptionHandling(String url, String httpMethod, String hostHeader, Action action)
Hi Jon Jones.
I preffer way described in this thread: www.sitefinity.com/.../securing-sf-admin-area
You can create rewrite rule to protect sitefintiy backend from unnecessary IPs. And open it only for IPs inside your load balancer network
<system.webServer> <rewrite> <rules> <!-- Rule to deny access to Sitefinity authentication page --> <!-- Checks value of REMOTE_ADDR in map "Authorised Admin IPs" --> <rule name="Block Unauthorised Login" enabled="true" stopProcessing="true"> <match url="^sitefinity/authenticate/swt.*$" /> <conditions logicalGrouping="MatchAll" trackAllCaptures="false"> <add input="Authorised Admin IPs:REMOTE_ADDR" pattern="1" negate="true" /> </conditions> <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" /> </rule> </rules> <rewriteMaps> <!-- This is your list of white-listed IP's--> <rewriteMap name="Authorised Admin IPs"> <add key="ipaddress-1" value="1" /> <add key="ipaddress-2" value="1" /> <add key="ipaddress-3" value="1" /> <add key="ipaddress-99" value="1" /> </rewriteMap> </rewriteMaps> </rewrite> </system.webServer>
Thanks Victor. Your solution will not work for me but I came up with a different rewrite rule that will.
As for the original article I referenced about the disableBackendUI="True" flag. What is the purpose of this flag if it does not work in a load balanced setup? The article explicitly states that it is made to be used with load balancing but it doesn't work unless you are going to assume you have to restart your front end servers after every content change. Seems to me like this is a bug or badly written documentation. I think there would be value in this disableBackendUI="True" flag if it did not disable the load balancing web service end points so that your editing server could still communicate with the production front ends.