diff options
| author | Thomas Steur <tsteur@users.noreply.github.com> | 2017-12-01 01:38:06 +0300 |
|---|---|---|
| committer | Matthieu Aubry <mattab@users.noreply.github.com> | 2017-12-01 01:38:06 +0300 |
| commit | 9020dac1940fa9c52b9f29748131aa859ab16c29 (patch) | |
| tree | 731e56ca9c9151cb319affa80480a26919624209 /config | |
| parent | af3a79c055bfe2c5778b5827ba3d165674315f4b (diff) | |
Add possibility to restrict piwik access by ip (#12242)
* add possibility to restrict piwik login by ip
* better whitelist implementation
* move classes to corehome
* better error message
* better config
* make sure ips can be overwritten via DI
* fix ui tests
Diffstat (limited to 'config')
| -rw-r--r-- | config/global.ini.php | 17 | ||||
| -rw-r--r-- | config/global.php | 12 |
2 files changed, 29 insertions, 0 deletions
diff --git a/config/global.ini.php b/config/global.ini.php index 418d49731b..6aa9f65175 100644 --- a/config/global.ini.php +++ b/config/global.ini.php @@ -368,6 +368,23 @@ login_password_recovery_replyto_email_address = "no-reply@{DOMAIN}" ; name that appears as a Reply-to in the password recovery email login_password_recovery_replyto_email_name = "No-reply" +; When configured, only users from a configured IP can log into your Piwik. You can define one or multiple +; IPv4, IPv6, and IP ranges. This whitelist also affects API requests unless you disabled it via the setting +; "login_whitelist_apply_to_reporting_api_requests" below. Note that neither this setting, nor the +; "login_whitelist_apply_to_reporting_api_requests" restricts authenticated tracking requests (tracking requests +; with a "token_auth" URL parameter). +; +; Examples: +; login_whitelist_ip[] = 204.93.240.* +; login_whitelist_ip[] = 204.93.177.0/24 +; login_whitelist_ip[] = 199.27.128.0/21 +; login_whitelist_ip[] = 2001:db8::/48 + +; By default, if a whitelisted IP address is specified via "login_whitelist_ip[]", the reporting user interface as +; well as HTTP Reporting API requests will only work for these whitelisted IPs. +; Set this setting to "0" to allow HTTP Reporting API requests from any IP address. +login_whitelist_apply_to_reporting_api_requests = 1 + ; By default when user logs out they are redirected to Piwik "homepage" usually the Login form. ; Uncomment the next line to set a URL to redirect the user to after they log out of Piwik. ; login_logout_url = http://... diff --git a/config/global.php b/config/global.php index 9687047a82..00c2d116aa 100644 --- a/config/global.php +++ b/config/global.php @@ -117,6 +117,18 @@ return array( 'Piwik\EventDispatcher' => DI\object()->constructorParameter('observers', DI\get('observers.global')), + 'login.whitelist.ips' => function (ContainerInterface $c) { + /** @var Piwik\Config\ $config */ + $config = $c->get('Piwik\Config'); + $general = $config->General; + + $ips = array(); + if (!empty($general['login_whitelist_ip']) && is_array($general['login_whitelist_ip'])) { + $ips = $general['login_whitelist_ip']; + } + return $ips; + }, + 'Zend_Validate_EmailAddress' => function () { return new \Zend_Validate_EmailAddress(array( 'hostname' => new \Zend_Validate_Hostname(array( |