Restrict login to IP range

We have a need to restrict the login page to an IP range. We’ve been trying to use the Files access control app to restrict access, but so far it’s not working. Can the Files Access Control app be used to in this way, or can it only be used to restrict access to files and folders?

Thank you,
Mark

What’s your O.S. ?
What’s your server ?
Have you different virtual sites on the same server ?

You don’t say anything about your config


If you run on unix/linux O.S., it’s very easy to do with the iptables firewall. I myself filter many countries with a single line rule.

Sorry, running Ubuntu 16.04, Apache 2.4.18, PHP 7.0.8.
Yes, we have several VM’s on a host, that’s running proxmox to facilitate the VM’s.

I’m not sure exactly what you’re asking for as far as our config? It’s a VM, running on an intranet, that connects to the outside, via a SNAP appliance with a virtual IP. Basically, we only want to be able to reach the login page internally. If someone tries to visit the login page from the outside, they should be denied. This was something we were able to do with the Owncloud firewall rules, but we’re having difficulty with NC.

Also, not sure if this helps, but here’s a sanitized version of our config.php file:

$CONFIG = array (
‘instanceid’ => ‘blabla’,
‘passwordsalt’ => ‘blabla’,
‘secret’ => ‘blabla’,
‘trusted_domains’ =>
array (
0 => ‘sub.ourdomain.com’,
1 => ‘123.29.3.211’,
),
‘datadirectory’ => ‘/var/nextcloud_data’,
‘overwrite.cli.url’ => ‘http://sub.ourdomain.com/nextcloud’,
‘dbtype’ => ‘mysql’,
‘version’ => ‘9.1.0.16’,
‘dbname’ => ‘nextcloud’,
‘dbhost’ => ‘localhost’,
‘dbtableprefix’ => ‘oc_’,
‘dbuser’ => ‘oc_tech’,
‘dbpassword’ => ‘blabla’,
‘logtimezone’ => ‘UTC’,
‘installed’ => true,
‘mail_from_address’ => ‘myaddress’,
‘mail_smtpmode’ => ‘php’,
‘mail_domain’ => ‘ourdomain.com’,
‘ldapIgnoreNamingRules’ => false,
‘updater.release.channel’ => ‘stable’,
‘loglevel’ => 0,
‘maintenance’ => false,
‘ldapProviderFactory’ => ‘\OCA\User_LDAP\LDAPProviderFactory’,
‘appstore.experimental.enabled’ => true, );

O.K. i see


You may be able to achieve this with the Request remote address: (An IP range (either v4 or v6) for the accessing user) of the Files Access Control. Put here the IP range of your intranet. Note that all rules can also be inverted (from is to is not) using the operator option.

I didn’t try it but should work. Let me know.

Yeah, that’s what we’re doing now, on our test network and it’s not working. I was just curious if anyone on the forum had similar issues. Our production environment is actually a little different, so we’re going to install an instance of NC on that and see if it works there. Thank you for your help.

Hi Everyone, I am unable to use this app correctly,
if i just whitelist my IP address it blocks my own computer as well from accessing it
anyone please help me

Hard to say without knowing your exact setup and your network configuration. But if I had to guess, I’d say it’s probably because of NAT reflection, in wich case all requests from all your devices are coming from the IP of your router.

Another reason could be a reverse proxy that doesn’t forward the IP of the devices that made the requests, in which case all requests are coming from the IP of the reverse proxy.