Restrict access to group by IP address
Description
Documentation on the implementation
As an organization, I'd like to make sure only certain people can access my content.
If I use a VPN or internal network, as an extra layer of security, I would like to be able to restrict content by IP address.
This has been inspired by the exact same feature at BitBucket: https://blog.bitbucket.org/2017/02/28/big-strides-cloud-security-ip-whitelisting-required-2-step-verification-bitbucket/
Solution
Add a Restrict access by IP address
section to Group General Settings.
Inside this section, there will be a text field where users can specify an IP address range. The copy will be:
- Title: 'Restrict access by IP address'
- Placeholder: 'Enter IP address range'
- Help text: 'This group, including all subgroups, projects and git repositories, will only be reachable from the specified IP address range. Example:
192.168.0.0/24
. Read more'
'Read more' link TBD.
This new setting will be available for all visibility levels (Public, Internal, Private)
Subgroups
If a group sets the restriction, all it subgroups will inherit it. The restriction will be displayed in the subgroup's settings:
The text field will show the IP range set by the parent and will be disabled. A new help text line will be added with the copy:
This restriction has been set by a parent group.
Accessing a restricted page
When users try to access a restricted page from the wrong IP address, they will get a 404 Not Found
error as this is our default way of handling restricted content.
Original proposal
Allow restriction of IP address on the group level in the UI and for git activity. This to ensure this feature will work on GitLab.com as well as on self-hosted instances.
Links / references
Documentation blurb
To make sure only people from within your organisation can access particular content or code, you have the option to restrict access to groups and their underlying projects, issues, etc, by IP address. This can help ensure that particular code doesn't leave the premises, while not blocking off access to the entire instance.
Add whitelisted IP addresses to the group settings and anyone coming from a different IP address won't be able to access the restricted content.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.