If the backend finds this file at startup, it restricts the access to the backend following the rules defined in this file. The rules in the file describe which user may login to the backend from which client machine. This applies to WebUI logins, not to operation system level (ssh) logins.
IP based login restrictions be defined in two ways:
While these restrictions at the first glance sound quite similar, the consequences of these restrictions may be completly different. A type 1 rule is used to exclude all users who are not listed in the rule, a type 2 rule exludes all non listed locations for a particular user.
The user-ip-restrictions.json file uses JSON to describe the rules to be applied. Example:
{
"comment": "Example rules file",
"ip_sources": [
{
"source_address": "10.10.21.0/24",
"allowed_users": ["peter","paul","mary"]
},
{
"source_address": "192.168.0.144",
"allowed_users": ["guest"]
}
],
"users": [
{
"username": "john",
"allowed_addresses": [ "10.10.1.0/24", "192.168.2.0/24" ]
}
],
"default_behavior": "grant"
}The array "ip_source" contains the list of type 1 rules. Each rule defines an IP address or subnet and the list of users who are permitted to login from this network location. In the example above, from the subnet "10.10.21.0/24" only the users "peter","paul" and "mary" are permitted to login. all other users are rejected when trying to login from this subnet, even if they entered valid credentials. The second rule in this list limits the login from the IP "192.168.0.144" to the user "guest".
The array "users" contains the list of type 2 rules. In this example there is only one rule define which limits the login for user "john" to the subnets "10.10.1.0/24" and "192.168.2.0/24". Login attempts for "john" will be rejected unless the IP address of his computer is in one of these subnets.
Finally, the definition "default_behavior" tells how to deal with users who are not covered by any rule above. Valid options are "grant" or "deny".
The file may contain type 1 and type 2 rules at the same time or only one of the arrays "ip_source" or "users". For example only one client machine may be limited to a certain user:
{
"comment": "Example rules file",
"ip_source": [
{
"source_address": "192.168.0.144",
"allowed_users": ["guest"]
}
],
"default_behavior": "grant"
}This file only limits the Browser at "192.168.0.144", only user "guest" may login from here. Other users are rejected when logging in from here, but they may login from any other source.
If the user-ip-restrictions.json file does not exist, not IP based login restrictions are applies. user-ip-restrictions.json uses strict JSON syntax, any comments in the file must be coded as definitions which are ignored by the parser (e.g. "comment":"...").