Skip to content

Add support for allowed_ip_range for users#1846

Merged
Eugeny merged 6 commits into
warp-tech:mainfrom
LarsSven:ls/allowed-ips
Apr 13, 2026
Merged

Add support for allowed_ip_range for users#1846
Eugeny merged 6 commits into
warp-tech:mainfrom
LarsSven:ls/allowed-ips

Conversation

@LarsSven

@LarsSven LarsSven commented Apr 8, 2026

Copy link
Copy Markdown
Contributor

This PR adds a new properties to users: allowed_ip_range. If someone tires to log into that user from outside the IP range, the login will be rejected. There are quite a few usecases for this:

  1. Companies who want to harden their security by restricting login from their on-site locations.
  2. Only allow SSH/kubectl access from the CI (so if someone manages extract the warpgate access token from the CI, they still can't use it)
  3. A very niche usecase that we need it for: Running student exams through warpgate, where students should only be logging in from the exam hall.

The main reason to have this over for example firewall-level tightening is that it can be configured per user. So for us for example we don't want students to log in outside the exam hall, but we still want to be able to get in ourselves outside the exam PCs.

I've paid special attention to making sure this works nicely with SSO too. I also tried to get the SSH session to print out a message explaining why the auth was rejected, but I didn't manage to do that, so it just says "password rejected" when the SSH session is rejected due to the IP restriction.

Screenshot From 2026-04-08 16-02-14 Screenshot From 2026-04-08 16-02-44

Closes #1545

@LarsSven

Copy link
Copy Markdown
Contributor Author

One thing I've realised is that before we merge this, it should be a set of address ranges, and not a single one. That should be changed before merging so we don'r have to break the API

@LarsSven

Copy link
Copy Markdown
Contributor Author

I've updated the PR to allow for a list of ip ranges, rather than a single IP range. This allows for accepting a set of IPs that cannot be covered by a single range.

@Eugeny Eugeny merged commit 94b1712 into warp-tech:main Apr 13, 2026
18 of 19 checks passed
@Eugeny

Eugeny commented Apr 13, 2026

Copy link
Copy Markdown
Member

Thanks!

captain686 pushed a commit to captain686/warpgate that referenced this pull request May 29, 2026
This PR adds a new properties to users: allowed_ip_range. If someone
tires to log into that user from outside the IP range, the login will be
rejected. There are quite a few usecases for this:
1. Companies who want to harden their security by restricting login from
their on-site locations.
2. Only allow SSH/kubectl access from the CI (so if someone manages
extract the warpgate access token from the CI, they still can't use it)
3. A very niche usecase that we need it for: Running student exams
through warpgate, where students should only be logging in from the exam
hall.

The main reason to have this over for example firewall-level tightening
is that it can be configured per user. So for us for example we don't
want students to log in outside the exam hall, but we still want to be
able to get in ourselves outside the exam PCs.

I've paid special attention to making sure this works nicely with SSO
too. I also tried to get the SSH session to print out a message
explaining why the auth was rejected, but I didn't manage to do that, so
it just says "password rejected" when the SSH session is rejected due to
the IP restriction.

<img width="871" height="278" alt="Screenshot From 2026-04-08 16-02-14"
src="https://github.com/user-attachments/assets/b5669c58-60ae-4f71-9b70-5742ff59fb14"
/>

<img width="692" height="681" alt="Screenshot From 2026-04-08 16-02-44"
src="https://github.com/user-attachments/assets/b23a47b3-ceb4-4251-ae16-0aeb8b04460d"
/>


Closes warp-tech#1545

---------

Co-authored-by: Eugene <inbox@null.page>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Allowed IP range for users

2 participants