We want to allow admin users only from the internal network.
Since i could not find any possibility for this, maybe i have overlooked it, i would like to ask, if its possible to restict certain users to a specific source ip range like 192.168.* or 10.*
In the meantime we disable the admin user and enable it, when we need something. But that is tiresome, and our security advisor feels that would be important.
Adding one more person here, who also needs this feature. Separate admin login page, maybe like https://www.example.com/admin.php or /index.php/admin (?)
What about forcing the use of a Yubikey hardware token for the administrator account. If you order one which is physically plugged into a local USB port you could restrict the usage to that device.
i am trying the same with varnish but the cookies can easily be manipulated. You can delete this Cookie (this can be checked otherwise) or edit your nc_username cookie. Does anyone else has a method for this without looking in the post body with the form data?
You can add rule to Web Server to evaluate POST request to …/index.php/login and drop it if user: admin in body. Looks like you can do this with mod_security, but IDK how…
This will restrict admin to login.
This will not protect you if admin logged in when was in Whitelisted Range and manipulate his cookie nc_username and access from the not permitted IPs.
I got this working via mod_security3 on FreeBSD.
Internet -> Pound Reverse Proxy Server -> Apache mod_security3 Server -> Apache Nextcloud Server
i created a own rule to drop the admin login:
SecRule REQUEST_BODY “user=admin” “id:991,phase:2,log,drop,status:403,msg:‘Admin Login via %{remote_addr} Detected!’,severity:3”
Its important to use mod_security on a Server in front of Nextcloud, otherwise the sequence of the modules is a problem, in my tests the login response cookies were set so after reloading you could login. This doesnt happen if its a seperate Server so the Request doesnt reach the Nextcloud Server.