feat(admin): harden server with admin IP restrict

Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
2026-01-02 17:59:36 +07:00 · 2024-07-24 11:17:17 +02:00
parent 2cbab42957
commit b5f414b989
1 changed files with 17 additions and 0 deletions
--- a/admin_manual/installation/harden_server.rst
+++ b/admin_manual/installation/harden_server.rst
@@ -177,6 +177,23 @@ information about the TLS settings.

 Also ensure that HTTP compression is disabled to mitigate the BREACH attack.

+Restrict admin actions to a specific range of IP addresses
+----------------------------------------------------------
+
+Configure ``allowed_admin_ranges`` in ``config.php`` to restrict the admin actions to trusted IP ranges.
+
+This can be achieved with this kind of setting, usually using private IP ranges::
+
+  'allowed_admin_ranges' => [
+    '127.0.0.1/8',
+    '192.168.0.0/16',
+    'fd00::/8',
+  ]
+
+All requests originating from IP addresses outside of these ranges will not be able to execute admin actions.
+
+Administrators connected from untrusted IP addresses will be able to use Nextcloud, but all admin specific actions will be hidden.
+
 Use a dedicated domain for Nextcloud
 ------------------------------------