Restrict access to /admin based on IP address?

[malpaso]

As above, any suggestions on how to do this or any packages that will allow iron-router to do this?

[logankoester]

I'm not involved with this project (just a user), but to me this feels like the kind of feature that would be better implemented at the reverse-proxy or load balancer level, to minimize complexity in the application layer.

One opinion on the matter :smile:

[malpaso]

Thanks @logankoester I'm starting to think actually that a plugin for iron-router might do the trick. I'm not sure that having it implemented at the load balancer/reverse-proxy level would cover all the requests on a predominantly client-side app

[logankoester]

@malpaso That's a really interesting point. A bit embarrassing... I was thinking in the context of a traditional web service when I made that suggestion, and in retrospect it seems obvious that a Meteor app might allow access to the /admin views without ever actually hitting the /admin/* HTTP endpoints from the client.

Definitely something I need to remember when working with Meteor myself. :fearful:

With that in mind, your iron-router plugin plan sounds solid. Another approach might be to implement routing-aware IP whitelisting on Sikka, an application-level firewall for Meteor.

See issues https://github.com/meteorhacks/sikka/issues/8 and https://github.com/meteorhacks/sikka/issues/7 on that project for work already in progress.