[Koha] Restricted Page -- need advice/help

Eric Phetteplace ephetteplace at cca.edu
Sat May 4 12:08:25 NZST 2019 

Hi Andy,

We had looked into this feature for some content we wanted to host and
provide access to on campus, but sadly I found the same issue to be the
case: users have to authenticate to view the Restricted Page and it isn't
truly able to filter by IP address. Our Koha instance is hosted by ByWater
and they identified their proxy server as the root of the problem. Here's a
rather long message from Larry Baerveldt about it:

"I spent some time last night after hours, looking in this. The main issue
is
the Restricted Page functionality in Koha depends on the seeing the user's
IP
address, so it can make a decision whether to load the page immediately, or
present them with the login prompt. However, for sites that are behind a
proxy,
the Koha server does not see the user's IP, it sees the IP of the proxy
server.

When a server is behind proxy, the original user's IP is preserved in the
HTTP
headers, as X-Forwarded-For. Unfortunately there is not yet support in Koha
to
look at the X-Forwarded-For header (although there now a Koha bug open on
this).

Until Koha supports the use of X-Forwarded-For, then we have limited
solutions.

Solution 1) Implement the IP restriction in proxy server. This works, but
has
the side effect that if the user is NOT in one of the allowed ranges, then
they
are presented with a proxy server error: "There are no servers to handle
this
request."

Solution 2) Implement an Apache solution that restricts that page to view
only
from a set of X-Forwarded-For addresses. This should also work, but will
have
the side effect that if the user is NOT in one of the allowed ranges, they
will
get an Apache error that says that page is forbidden (Error 403).

In either case, there does not appear to be way to maintain BOTH the
functionality of immediate access for users in a specific IP range AND
allowing
users to login to view the page if they are not in that IP range.

There is still the option of Solution 3) which is to implement the page but
leave out the pass through for IPs, and just require everyone to login to
view
it.

I'm sorry I don't have a better solution to offer, but until Koha supports
X-Forwarded-For, these seem to be our only choices."

If I understand correctly, if your instance is *not* behind a proxy then
you shouldn't be encountering this problem, though, so I can't explain what
the issue is in that case. We ultimately went with option #3 forcing
everyone, even on-campus users, to authenticate to see our restricted
content since none of the alternatives presented were viable.

Best,

ERIC PHETTEPLACE Systems Librarian (he/him)

ephetteplace at cca.edu | o 510.594.3660

5212 Broadway | Oakland, CA | 94618

:(){ :|: & };:


On Fri, May 3, 2019 at 4:12 PM Andy Boze <boze.1 at nd.edu> wrote:

> According to the 18.11 manual page at <
>
> https://koha-community.org/manual/18.11/en/html/systempreferences.html#restricted-page
>  >, a page can be configured so that it is accessible only to users
> accessing it from specific IP addresses/ranges. The information isn't
> entirely clear, but I take it to mean that the user need not be
> authenticated to view the page as long as their machine is at a
> designated IP address. It's also unclear whether authenticated users
> should be able to access the restricted page unless they are at a
> designated IP address. I'm taking it to mean that the restricted page
> should be accessible to any authenticated user or to unauthenticated
> users at a designated IP address
>
> In testing this feature, I can access the restricted page when I am
> authenticated. But I cannot access the restricted page if I am at a
> designated IP address -- I am prompted to log in, and only then can I
> access the page.
>
> I'm wondering whether I'm not entering the IP address correctly. The
> manual page isn't entirely clear on that from the examples it gives. I'm
> assuming that I can enter a complete IP address (four octets) or several
> IP addresses separated by commas. If I want to enter a range, it looks
> like I just need to enter the beginning two or three octets, and maybe
> end with a dot (.) followed by a caret (^) (or is the caret a typo and
> meant to be a quotation mark?). Anyway, I've tried entering a complete
> IP address and a range, but so far nothing has worked.
>
> Have I missed something, or have I run into a bug?
>
> The original feature request for this is at <
> https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13485 > in
> case that's useful.
>
> Thanks for any assistance.
>
> --
> Andy Boze, Associate Librarian
> University of Notre Dame
> 271H Hesburgh Library
> (574) 631-8708
> _______________________________________________
> Koha mailing list  http://koha-community.org
> Koha at lists.katipo.co.nz
> https://lists.katipo.co.nz/mailman/listinfo/koha
>

More information about the Koha mailing list