0
Under review

Limit access to files via IP

russ 3 weeks ago • updated by Vlad R 3 weeks ago 26

I want to be able to share files with IP restriction.

So if the visitor comes from specific IP, then they are given access to the files without any login or password.

For any other IP address, they will be required to login or use a password.

Did you notice this setting in control panel->login and registration:

Alternatively, you could possibly use a URL shortener like YOURLS (which integrates nicely with Filerun) and a plugin to restrict access by IP.

no I don't see that option, maybe this is an enterprise setting, I am only using the free version.

But it seems like it would still require a login, which is what I want to avoid. The allowed IP range should have direct access to the files.


The only workaround I can think of is that I run another install of FILERUN and restrict the entire app by IP.

All I do with the free version is add a location block to nginx w/ allow/deny to the dir you want to be ip restricted. If you use apache I am sure the same can be done.

 location /pvt {
include conf.d/access.conf;
alias /var/db/filerun/vectr0n/pvt;
autoindex on;
try_files $uri $uri/ =404;
}

I did think of applying the IP restrictions to the actual folders on the server, but since nobody actually accesses those files/folders directly, rather the file is served indirectly via PHP, I did not think this would work.

ok I just tested it, and putting an IP restriction on the folder where the files are stored had no effect.

Works perfectly fine here, I have over 20 folders shared this way and nginx does the access checking.

I am using Windows in this case, and I set the IP restrictions in IIS.
Access is denied by default.

I haven't touched Windows in over 10 years now, so I am no help with IIS, but the same logic should apply.

just to be clear, the "home directory"  where the files are stored, is NOT inside the filerun folder, it is elsewhere, does this matter?

Shouldn't matter my FileRun lives in /usr/local/www/filerun and my user data is in /var/db/filerun/vectr0n. I just use /var/db/filerun/vectr0n/whateverfolder in nginx with allow/deny to allow IP restricted access to that folder.

The link to the files will always be in the format
https://domain.com/filemanager/wl/?id=DZJJwehGQCrcy1PkHj71okhzHu5vV71s

So the user will never actually touch the folder where the files are stored. It is only PHP which accesses the folder and then serves the files via the browser. So the only IP address accessing the files/folders directly is the server IP.

Perhaps this works different in NGINX and it forwards the IP of the client?

The internal link sharing has nothing to do with this setup, it is totally outside of the filerun config. The way I am explaining would be https://files.example.com = filerun https://files.example.com/pvt (example above) is how they access the dir that is IP restricted in nginx.

I can easily move the app to a linux server if that will solve the issue. 
My host runs on Litespeed though.

ok, so are you saying NOT to use the link sharing?

The host os should not really matter, you just have to figure out how you share a folder in IIS and the IP restrict that folder.

The work around I am explaining has nothing to do with FileRun or it's configuration, forget about it for a second and all you want to do is share a folder IN the FileRun user's dir via IIS and then IP restrict in IIS.

ok I see what you mean now. Just provide the customer a link directly to the folder, and point to it using a Vdir on the web server

Ya pretty much, it's a work around for free users like myself. It was a decent compromise for me and has worked well. I am the only user of my FileRun, but you can still share a user's stuff this way and still edit, download, upload, etc in FileRun itself. This then gives the option to IP restrict different stuff in the web server itself.

Since you can restrict access to specific files and folders by IP using htaccess
Is there any way this same method can be used to restrict access to the sharing URL's
I have googled this, but could not find any examples of this, 

I don't think that is an option for the built in link sharing, at least not to free users if it does exist.

This is where you might want to look into using YOURLS for the link shortener and a custom .htaccess file that blocks specific IP, IP ranges or country.

That's a good idea, Polr URL Shortener is also known to work as well, it's a bit more polished. 

Actually, couldn't you just modify your Filerun .htaccess to allow IP from CIDR, like this:

Allow from 123.123.123.0/2

And here's another idea to allow all connections from local network, but require login for external.

Edit: Oops I forgot you're on Windows so you'll have to find an IIS equivalent...

I don;t need to stick with Windows BTW, happy to move it to Linux, thus why I am asking about htaccess

I wouldn't know how to integrate YOURS into FILERUN, but wouldn't that still have the exact same requirement, that I would to apply the htaccess rules to the URL regardless.
The question is more whether you can do this in htaccess, as I do not know and could not find examples of restricting URL's rather than paths to files and folders.

Under review

I can provide a solution, but requires good PHP coding knowledge. Let me know if you are interested. Again, note that it would require you to write PHP code.