Allow list of ips/cidrs that are always allowed

[valentijnscholten]

For some use cases it's nice/needed to be able to have some ips or cidrs whitelisted by default without timeout.

I know this is possible to configure in nginx itself, but that would make these ips/ranges invisible inside nipw admin portal.

[zuavra]

Can you please describe the approve/deny logic that would fit your use case?

I think that adding a config header that disables the timeouts (or using very long timeouts) in combination with a "-netmask-allow" would accomplish what you mean, but let's make sure.

[valentijnscholten]

The use case is that there can be ip addresses or ranges that should be allowed always. For example some kind of office / company / family network that you don't want to burden with generating/distributing/rotating access keys and TOTP secrets.

But for addresses outside those ranges you want the existing behaviour of being able to whitelist ips using the token in the url.

I believe the x-nipw-netmask-allow header won't work because it will reject anything that doesn't match the provided netmasks? It could work with a x-nipx-netmask-allow-always or something instead.

[zuavra]

I understand. I will look into it.