Home > Fluid Dynamics Search Engine > Help > 1163

Security: Restricting admin login to certain IP addresses or IP ranges

To increase the security of your system, you can restrict admin logins to certain IP addresses. Follow these steps to enable this feature:

  1. Install FDSE version 2.0.0.0056 or newer.

  2. Confirm that FDSE is aware of your IP address. Login to the Admin Page, then go to "General Settings" => "View all system information". This will list all environment variables.

    • If the REMOTE_ADDR variable is present and contains your correct IP address, then great. Your system is configured in the standard way.

    • Your IP address may be present but not listed under REMOTE_ADDR (for example, it may be under HTTP_X_FORWARDED_FOR). If so then a slight code customization will be needed. When you customize the %private hash in the next step, you'll need to specify which environment variable will be the source of the 'visitor_ip_addr' string.

    • If your IP address is not listed in the environment variables, then you cannot use IP-based security.

  3. Edit the base "search" file (search.pl or search.cgi). Towards the top of the file will be the declaration of the %private hash:

    %private = (
    	'pdf utility folder' => "",
    	'global_lockfile_count' => 1,
    	'script_start_time' => time(),
    
    	# customize this if your IP is special:
    	'visitor_ip_addr' => &query_env('REMOTE_ADDR'),
    
    	# customize this with your set of allowed addresses:
    	'allow_admin_access_from' => '',
    
    	'file_mask' => 0666,
    	'needs_header' => 1,
    	);

    Simply add your IP addresses to this string:

    %private = (
    	'pdf utility folder' => "",
    	'global_lockfile_count' => 1,
    	'script_start_time' => time(),
    
    	# customize this if your IP is special:
    	'visitor_ip_addr' => &query_env('REMOTE_ADDR'),
    
    	# customize this with your set of allowed addresses:
    	'allow_admin_access_from' => '140.140.1.1 220.220.220.1 82.83.*',
    
    	'file_mask' => 0666,
    	'needs_header' => 1,
    	);

    Multiple IP addresses or IP ranges can be entered, separated by whitespace. Each string can contain numbers, the dot ".", and the asterisk "*". All matching is done from the left.

    In the example above, a user would need the exact IP address "140.140.1.1" or the exact IP "220.220.220.1" or any IP address in the range 82.83.0.0 through 82.83.255.255.

    This setting does not support DNS names.

  4. If a person tries to login from outside this IP range, he will receive the error message: "access denied to admin functions. Your IP address x.y.z.w is not among the list of allowed addresses". Note that this error message will echo the client's IP address, but it will not specify which IP addresses are in the allowed set. The IP check occurs before verification of the password.

    If you restrict the set of IP addresses, and then later need to login from outside that range, you will need to connect to the server, download the "search" file, edit the allowed range, and then upload your changes.

  5. The IP checks will only be performed when the REMOTE_ADDR (or equivalent) environment variable is populated. For command-line access to the script, this environment variable will not be present and no checks will be performed.


    "Security: Restricting admin login to certain IP addresses or IP ranges"
    http://www.xav.com/scripts/search/help/1163.html