Restrict Admin users to the Internal network


We want to allow admin users only from the internal network.

Since i could not find any possibility for this, maybe i have overlooked it, i would like to ask, if its possible to restict certain users to a specific source ip range like 192.168.* or 10.*

In the meantime we disable the admin user and enable it, when we need something. But that is tiresome, and our security advisor feels that would be important.

Thanks in advance.


Hi Ascendancer, did you find a solution for your problem? We’d like to do the same


Adding one more person here, who also needs this feature. Separate admin login page, maybe like or /index.php/admin (?)

1 Like

I also need this feature :thinking:

Maybe app Restrict login to IP addresses could be updated to be applied only to group and user. At the moment it has not been updated for NC 15 …

Does anyone has made Apache rules? or modSecurity rules?

1 Like

I also would love to have this feature. I would like to restrict the access of certain accounts to the local network only.


Hi, I have found a pretty good solution at web server level!! :partying_face:

 RewriteEngine On
 RewriteCond %{HTTP_COOKIE} nc_username=admin
 RewriteCond %{REMOTE_ADDR} !^192\.168\.
 RewriteRule .* - [F,L]


By putting this rule into my NextCloud virtual host, I was able to limit admin action’s to an IP range.

Line by line:

  1. turn on rewrite engine (you need rewrite_mod enable)
  2. check if cookie nc_username equal admin
  3. check if source IP is not part of
  4. if both conditions are meet, send 403 forbidden

Down side :thinking:

:warning: this does not forbid admin login! :warning:

It only forbid any admin HTTP request. So all admin cookies are set and can be stolen.

Up side :star_struck:

It is way better to perform this check at webserver level and not at PHP level.

Enjoy! :grinning:

1 Like

What about forcing the use of a Yubikey hardware token for the administrator account. If you order one which is physically plugged into a local USB port you could restrict the usage to that device.

Device Pinning Feature

A Yubikey is another solution.

As for the solution above, I am not sure it works with webdav or admin APIs. Be careful before using it.