Restrict Admin users to the Internal network

#1

We want to allow admin users only from the internal network.

Since i could not find any possibility for this, maybe i have overlooked it, i would like to ask, if its possible to restict certain users to a specific source ip range like 192.168.* or 10.*

In the meantime we disable the admin user and enable it, when we need something. But that is tiresome, and our security advisor feels that would be important.

Thanks in advance.

2 Likes
#2

Hi Ascendancer, did you find a solution for your problem? We’d like to do the same

#3

Adding one more person here, who also needs this feature. Separate admin login page, maybe like https://www.example.com/admin.php or /index.php/admin (?)

1 Like
#4

I also need this feature :thinking:

Maybe app Restrict login to IP addresses could be updated to be applied only to group and user. At the moment it has not been updated for NC 15 …

Does anyone has made Apache rules? or modSecurity rules?

1 Like
#5

I also would love to have this feature. I would like to restrict the access of certain accounts to the local network only.

#6

Hi, I have found a pretty good solution at web server level!! :partying_face:

 RewriteEngine On
 RewriteCond %{HTTP_COOKIE} nc_username=admin
 RewriteCond %{REMOTE_ADDR} !^192\.168\.
 RewriteRule .* - [F,L]

Explanation

By putting this rule into my NextCloud virtual host, I was able to limit admin action’s to an IP range.

Line by line:

  1. turn on rewrite engine (you need rewrite_mod enable)
  2. check if cookie nc_username equal admin
  3. check if source IP is not part of 192.168.0.0/16
  4. if both conditions are meet, send 403 forbidden

Down side :thinking:

:warning: this does not forbid admin login! :warning:

It only forbid any admin HTTP request. So all admin cookies are set and can be stolen.

Up side :star_struck:

It is way better to perform this check at webserver level and not at PHP level.

Enjoy! :grinning:

1 Like
#7

What about forcing the use of a Yubikey hardware token for the administrator account. If you order one which is physically plugged into a local USB port you could restrict the usage to that device.

Device Pinning Feature
#8

A Yubikey is another solution.

As for the solution above, I am not sure it works with webdav or admin APIs. Be careful before using it.