IP based access restriction

[chriskapp]

We should check whether we should build an IP access panel where an admin can disallow access to the API for specific IPs or IP ranges. This could be useful in case an admin detects malicious apps or requests. On the other hand such behaviour can also be easily solved through OS tools i.e. like iptables or the apache/nginx config. If Fusio runs inside an docker container it is not always possible to configure/use such OS tools.

[riwin]

a user based IP whitelist would be nice

[LaserStony]

wouldn't this simply be IP Blocking which cPanel already has?

[chriskapp]

@LaserStony yes this is true, so maybe we dont need such a feature in Fusio. The advantage of building this inside Fusio would be, that we would could use this feature also for other cases i.e. ban an ip after x times of wrong logins etc.

[LaserStony]

hmmmm... That would be understandable as It could help us prevent possible attacks in the future..

[amig]

Another use for IP filtering is per user IP whitelist, i.e., the IP(s) are linked to a specific user and only for that user.

[bajhoe]

yes it would be nice, mostly, this API traffic will be carried out/implemented by developer class, not end user class, so oauth2, consumer credentials won't be enough and server firewall & webserver mods too overkill, because fellow developer must be already know all the client and user credential (because they develop it i order to consume it). The added feature of IP restriction per user/per app, will increase the security for corporation's critical data via API traffic from the eye of hostile ex-developer :-).

I know the developer can build the vpn interface and use that tunnel to access from whitelisted IPs, but thats another story......we will treat it with another form of deterrence.

hopefully we'll see this evaluated issue becomes implemented feature........ keep the good & golden work!!