Hi Andy, We had looked into this feature for some content we wanted to host and provide access to on campus, but sadly I found the same issue to be the case: users have to authenticate to view the Restricted Page and it isn't truly able to filter by IP address. Our Koha instance is hosted by ByWater and they identified their proxy server as the root of the problem. Here's a rather long message from Larry Baerveldt about it: "I spent some time last night after hours, looking in this. The main issue is the Restricted Page functionality in Koha depends on the seeing the user's IP address, so it can make a decision whether to load the page immediately, or present them with the login prompt. However, for sites that are behind a proxy, the Koha server does not see the user's IP, it sees the IP of the proxy server. When a server is behind proxy, the original user's IP is preserved in the HTTP headers, as X-Forwarded-For. Unfortunately there is not yet support in Koha to look at the X-Forwarded-For header (although there now a Koha bug open on this). Until Koha supports the use of X-Forwarded-For, then we have limited solutions. Solution 1) Implement the IP restriction in proxy server. This works, but has the side effect that if the user is NOT in one of the allowed ranges, then they are presented with a proxy server error: "There are no servers to handle this request." Solution 2) Implement an Apache solution that restricts that page to view only from a set of X-Forwarded-For addresses. This should also work, but will have the side effect that if the user is NOT in one of the allowed ranges, they will get an Apache error that says that page is forbidden (Error 403). In either case, there does not appear to be way to maintain BOTH the functionality of immediate access for users in a specific IP range AND allowing users to login to view the page if they are not in that IP range. There is still the option of Solution 3) which is to implement the page but leave out the pass through for IPs, and just require everyone to login to view it. I'm sorry I don't have a better solution to offer, but until Koha supports X-Forwarded-For, these seem to be our only choices." If I understand correctly, if your instance is *not* behind a proxy then you shouldn't be encountering this problem, though, so I can't explain what the issue is in that case. We ultimately went with option #3 forcing everyone, even on-campus users, to authenticate to see our restricted content since none of the alternatives presented were viable. Best, ERIC PHETTEPLACE Systems Librarian (he/him) ephetteplace@cca.edu | o 510.594.3660 5212 Broadway | Oakland, CA | 94618 :(){ :|: & };: On Fri, May 3, 2019 at 4:12 PM Andy Boze <boze.1@nd.edu> wrote:
According to the 18.11 manual page at <
https://koha-community.org/manual/18.11/en/html/systempreferences.html#restr...
, a page can be configured so that it is accessible only to users accessing it from specific IP addresses/ranges. The information isn't entirely clear, but I take it to mean that the user need not be authenticated to view the page as long as their machine is at a designated IP address. It's also unclear whether authenticated users should be able to access the restricted page unless they are at a designated IP address. I'm taking it to mean that the restricted page should be accessible to any authenticated user or to unauthenticated users at a designated IP address
In testing this feature, I can access the restricted page when I am authenticated. But I cannot access the restricted page if I am at a designated IP address -- I am prompted to log in, and only then can I access the page.
I'm wondering whether I'm not entering the IP address correctly. The manual page isn't entirely clear on that from the examples it gives. I'm assuming that I can enter a complete IP address (four octets) or several IP addresses separated by commas. If I want to enter a range, it looks like I just need to enter the beginning two or three octets, and maybe end with a dot (.) followed by a caret (^) (or is the caret a typo and meant to be a quotation mark?). Anyway, I've tried entering a complete IP address and a range, but so far nothing has worked.
Have I missed something, or have I run into a bug?
The original feature request for this is at < https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13485 > in case that's useful.
Thanks for any assistance.
-- Andy Boze, Associate Librarian University of Notre Dame 271H Hesburgh Library (574) 631-8708 _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha