Environment architecture: isolated content authoring and content delivery servers

Dean Lynn asked on August 17, 2015 00:23

Is it possible to configure an environment to include:

  • 2 x load balanced content delivery servers, hosted within a DMZ and publicly accessible via live URL (e.g. www.mywebsite.com) with content authoring pages blocked (via IIS settings) to prevent authoring across the public internet.

And to support authoring tasks:

  • 1 x content authoring server, hosted in isolation to the content delivery servers for internal network access only, accessible via unique URL (e.g. cms.mywesbite.com) and used for authoring tasks.

All three servers would point to the same database.

Background to this query:

Each website in Kentico has a single primary URL assigned to its definition via the sites application, we can also add additional domain aliases to support the resolution of other URLs to the same website. Using this feature I can configure my isolated CMS server to resolve cms.mywebsite.com and my load balanced content delivery servers to resolve www.mywebsite.com. This allows me to apply protection (restrictions) to the load balanced content delivery servers, preventing access to the CMS components across the public internet and dedicating those servers to content delivery responsibilities.

The problem we have discovered with this configuration is regarding the use of AbsoluteURL functions in code. When requesting an absolute URL the value returned appears to always include the primary site URL rather than the domain alias currently in use i.e. if I request a webpage using a domain alias (cms.mywebsite.com) any links generated on the page for this request will use www.mywebsite.com instead (which is assigned as the primary website URL) which renders the content authoring server useless for previewing content (when the user clicks a link they are directed to the live URL and therefore away from the CMS server).

This raises a number of questions:

  • Is this behaviour expected, or should absolute URLs be returned with the current request's domain alias?
  • Is the above configuration a recommended approach i.e. isolated CMS server?
  • Or, should I switch my configuration so that all three servers are load balanced and provide both content authoring and content delivery roles?
  • If yes to the above question: how would I prevent unwanted access to the CMS interface when all servers are accessible via the public internet i.e. how would I prevent unwanted users from attempting to login to the CMS?

Thanks in advance,

Dean

Recent Answers

Suneel Jhangiani answered on August 17, 2015 13:58

You should look at Staging https://docs.kentico.com/display/K82/Content+staging

The basic premise is that you would have your Authoring done on a server in your LAN with its own instance of the database. This then pushes the content to the Live servers in the DMZ which run on a seperate instance of the database. As this setup uses two database instances you would not run into the issue you are experiencing with the URL's.

0 votesVote for this answer Mark as a Correct answer

Dean Lynn answered on August 17, 2015 19:35

Thanks for the reply Suneel. I will investigate the content staging module as a method of protecting access to the CMS, do you know if it has any major limitations?

0 votesVote for this answer Mark as a Correct answer

Suneel Jhangiani answered on August 17, 2015 21:43

Read the docs on the link I provided and in particular pay attention to the section on what can be synchronized. From what I have found it is a logical structure since you don't need to sync certain objects to your staging environment (ie. no need to have blog comments sent back to the staging environment). However, you need to pay attention to the fact that Custom Modules aren't included and hence you may need to find an alternative way to sync objects related to that.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.