Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restrict access to /admin based on IP address? #292

Open
malpaso opened this issue Apr 14, 2015 · 3 comments
Open

Restrict access to /admin based on IP address? #292

malpaso opened this issue Apr 14, 2015 · 3 comments

Comments

@malpaso
Copy link

malpaso commented Apr 14, 2015

As above, any suggestions on how to do this or any packages that will allow iron-router to do this?

@logankoester
Copy link

I'm not involved with this project (just a user), but to me this feels like the kind of feature that would be better implemented at the reverse-proxy or load balancer level, to minimize complexity in the application layer.

One opinion on the matter 😄

@malpaso
Copy link
Author

malpaso commented Apr 14, 2015

Thanks @logankoester I'm starting to think actually that a plugin for iron-router might do the trick. I'm not sure that having it implemented at the load balancer/reverse-proxy level would cover all the requests on a predominantly client-side app

@logankoester
Copy link

@malpaso That's a really interesting point. A bit embarrassing... I was thinking in the context of a traditional web service when I made that suggestion, and in retrospect it seems obvious that a Meteor app might allow access to the /admin views without ever actually hitting the /admin/* HTTP endpoints from the client.

Definitely something I need to remember when working with Meteor myself. 😨

With that in mind, your iron-router plugin plan sounds solid. Another approach might be to implement routing-aware IP whitelisting on Sikka, an application-level firewall for Meteor.

See issues meteorhacks/sikka#8 and meteorhacks/sikka#7 on that project for work already in progress.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants