Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ability to restrict user login to specific IP addresses #4577

Closed
mattab opened this issue Jan 26, 2014 · 9 comments
Closed

Ability to restrict user login to specific IP addresses #4577

mattab opened this issue Jan 26, 2014 · 9 comments
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Milestone

Comments

@mattab
Copy link
Member

mattab commented Jan 26, 2014

For added security, it would be useful to be able to only allow particular users to login from white listed IP addresses.

  • "Restrict login to Piwik only from these IP addresses" would be a global setting that would restrict all logins to a particular IP address.
  • "Restrict a particular username to login from these IP addresses" would be a setting, per user, optional, that would restrict login by this username.
    • UI: maybe we could extend the 'User Settings' mechanism , to also let Super User edit settings for other users.

Notes:

  • When a user goes to the login form, or tries to login, and the IP is not whitelisted, display a message "Access to this Piwik server is restricted. Please contact the admin to ask them to white list your IP address. more"
    • Learn more link goes to a FAQ on Piwik.org, explaining the WhiteList feature, and also explaining "How do I disable IP whitelisting?"
    • This would help a Super User deactivate the IP white listing feature, if he is locked out.
  • UI: Ips will accept ranges, similarly to the "Ips to exclude" in the Websites settings.
@hpvd
Copy link

hpvd commented Jan 27, 2014

great idea!

Maybe we should think of a mechanism to prevent that e.g. non advanced users could lock their-selves or more worse all users for ever from their piwik installation....

this could happen

  • if they do not have a static IP (are not aware of this and put this in the restriction rule) and the next day dialling in they got a new IP-address from their provider
  • they put in the IP from somewhere where they now could not get access any-more (ex-girl, ex-employer...)

@mattab mattab added this to the 2.x - The Great Piwik 2.x Backlog milestone Jul 8, 2014
@mattab mattab removed the P: normal label Aug 3, 2014
@mattab mattab modified the milestones: Long term, Mid term Dec 5, 2016
@mattab mattab modified the milestones: Backlog (Help wanted), 3.2.1 Nov 23, 2017
@mattab
Copy link
Member Author

mattab commented Nov 30, 2017

@mattab mattab closed this as completed Nov 30, 2017
@seyfro
Copy link

seyfro commented Dec 6, 2017

Thanks for adding this useful feature. As I maintain a site where anonynmous access to dashboard is allowed, login is restricted for specific users only, it would be great if this feature could be enhanced to restrict the display of the login form only - currently this has to be done via vhost-config, which isnt the most usable way:

<LocationMatch /piwik/.*Login.*>
Order deny, allow
Allow from .....
</LocationMatch>

@seyfro
Copy link

seyfro commented Dec 11, 2017

@mattab just discovered that if login_whitelist_ip is set, WordPress backend cannot be accessed if Piwik plugin is active & features from "show statistics" tab are enabled. If you disable e.g. "Dashboard graph:", you can access the backend, the Piwik plugin settings page is still unaccessible if you have not whitelisted the IP too.

So in my opinion securing the login form only would be a better solution as this would not break the Piwik WordPress plugin for other users not whitelisted.

@mattab
Copy link
Member Author

mattab commented Dec 12, 2017

@robertharm Thanks for the feedback. Could you please create a new issue to note your various suggestions? as we'd like to follow up but this issue is closed. thanks

@RajveerSinghBrar
Copy link

please help if i want to setup my account to login from a particular IP address how its done?

@zhconsultancyservices
Copy link

ANy update on this

@sgiehl
Copy link
Member

sgiehl commented Jan 10, 2020

As mentioned above see this FAQ: https://matomo.org/faq/how-to/faq_25543/

@mddvul22
Copy link

Sorry for commenting in an old issue, but the original post mentioned the possibility of restricting a particular username to login from certain IP addresses. The FAQ doesn't mention this capability. I assume that feature was not added and that the only option for IP-based restrictions is for system-wide IP restrictions?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Projects
None yet
Development

No branches or pull requests

7 participants