Restrict access to group by IP address
As an organization, I'd like to make sure only certain people can access my content.
If I use a VPN or internal network, as an extra layer of security, I would like to be able to restrict content by IP address.
This has been inspired by the exact same feature at BitBucket: https://blog.bitbucket.org/2017/02/28/big-strides-cloud-security-ip-whitelisting-required-2-step-verification-bitbucket/
Restrict access by IP address section to Group General Settings.
Inside this section, there will be a text field where users can specify an IP address range. The copy will be:
- Title: 'Restrict access by IP address'
- Placeholder: 'Enter IP address range'
- Help text: 'This group, including all subgroups, projects and git repositories, will only be reachable from the specified IP address range. Example:
192.168.0.0/24. Read more'
'Read more' link TBD.
This new setting will be available for all visibility levels (Public, Internal, Private)
If a group sets the restriction, all it subgroups will inherit it. The restriction will be displayed in the subgroup's settings:
The text field will show the IP range set by the parent and will be disabled. A new help text line will be added with the copy:
This restriction has been set by a parent group.
Accessing a restricted page
When users try to access a restricted page from the wrong IP address, they will get a
404 Not Found error as this is our default way of handling restricted content.
Allow restriction of IP address on the group level in the UI and for git activity. This to ensure this feature will work on GitLab.com as well as on self-hosted instances.
Links / references
To make sure only people from within your organisation can access particular content or code, you have the option to restrict access to groups and their underlying projects, issues, etc, by IP address. This can help ensure that particular code doesn't leave the premises, while not blocking off access to the entire instance.
Add whitelisted IP addresses to the group settings and anyone coming from a different IP address won't be able to access the restricted content.