[Koha] Restricted Page -- need advice/help

Andy Boze boze.1 at nd.edu
Sat May 4 15:52:36 NZST 2019

Hi, Eric.

Thanks, I appreciate your reply. I'll have to investigate this. We're 
hosting Koha ourselves on AWS, so I wonder whether AWS could somehow be 
obscuring the user's IP address. Well, that'll be something for next week.


On 5/3/2019 8:08 PM, Eric Phetteplace wrote:
> Hi Andy,
> We had looked into this feature for some content we wanted to host and
> provide access to on campus, but sadly I found the same issue to be the
> case: users have to authenticate to view the Restricted Page and it isn't
> truly able to filter by IP address. Our Koha instance is hosted by ByWater
> and they identified their proxy server as the root of the problem. Here's a
> rather long message from Larry Baerveldt about it:
> "I spent some time last night after hours, looking in this. The main issue
> is
> the Restricted Page functionality in Koha depends on the seeing the user's
> IP
> address, so it can make a decision whether to load the page immediately, or
> present them with the login prompt. However, for sites that are behind a
> proxy,
> the Koha server does not see the user's IP, it sees the IP of the proxy
> server.
> When a server is behind proxy, the original user's IP is preserved in the
> headers, as X-Forwarded-For. Unfortunately there is not yet support in Koha
> to
> look at the X-Forwarded-For header (although there now a Koha bug open on
> this).
> Until Koha supports the use of X-Forwarded-For, then we have limited
> solutions.
> Solution 1) Implement the IP restriction in proxy server. This works, but
> has
> the side effect that if the user is NOT in one of the allowed ranges, then
> they
> are presented with a proxy server error: "There are no servers to handle
> this
> request."
> Solution 2) Implement an Apache solution that restricts that page to view
> only
> from a set of X-Forwarded-For addresses. This should also work, but will
> have
> the side effect that if the user is NOT in one of the allowed ranges, they
> will
> get an Apache error that says that page is forbidden (Error 403).
> In either case, there does not appear to be way to maintain BOTH the
> functionality of immediate access for users in a specific IP range AND
> allowing
> users to login to view the page if they are not in that IP range.
> There is still the option of Solution 3) which is to implement the page but
> leave out the pass through for IPs, and just require everyone to login to
> view
> it.
> I'm sorry I don't have a better solution to offer, but until Koha supports
> X-Forwarded-For, these seem to be our only choices."
> If I understand correctly, if your instance is *not* behind a proxy then
> you shouldn't be encountering this problem, though, so I can't explain what
> the issue is in that case. We ultimately went with option #3 forcing
> everyone, even on-campus users, to authenticate to see our restricted
> content since none of the alternatives presented were viable.
> Best,
> ERIC PHETTEPLACE Systems Librarian (he/him)
> ephetteplace at cca.edu | o 510.594.3660
> 5212 Broadway | Oakland, CA | 94618
> :(){ :|: & };:
> On Fri, May 3, 2019 at 4:12 PM Andy Boze <boze.1 at nd.edu> wrote:
>> According to the 18.11 manual page at <
>> https://koha-community.org/manual/18.11/en/html/systempreferences.html#restricted-page
>>   >, a page can be configured so that it is accessible only to users
>> accessing it from specific IP addresses/ranges. The information isn't
>> entirely clear, but I take it to mean that the user need not be
>> authenticated to view the page as long as their machine is at a
>> designated IP address. It's also unclear whether authenticated users
>> should be able to access the restricted page unless they are at a
>> designated IP address. I'm taking it to mean that the restricted page
>> should be accessible to any authenticated user or to unauthenticated
>> users at a designated IP address
>> In testing this feature, I can access the restricted page when I am
>> authenticated. But I cannot access the restricted page if I am at a
>> designated IP address -- I am prompted to log in, and only then can I
>> access the page.
>> I'm wondering whether I'm not entering the IP address correctly. The
>> manual page isn't entirely clear on that from the examples it gives. I'm
>> assuming that I can enter a complete IP address (four octets) or several
>> IP addresses separated by commas. If I want to enter a range, it looks
>> like I just need to enter the beginning two or three octets, and maybe
>> end with a dot (.) followed by a caret (^) (or is the caret a typo and
>> meant to be a quotation mark?). Anyway, I've tried entering a complete
>> IP address and a range, but so far nothing has worked.
>> Have I missed something, or have I run into a bug?
>> The original feature request for this is at <
>> https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13485 > in
>> case that's useful.
>> Thanks for any assistance.
>> --
>> Andy Boze, Associate Librarian
>> University of Notre Dame
>> 271H Hesburgh Library
>> (574) 631-8708
>> _______________________________________________
>> Koha mailing list  http://koha-community.org
>> Koha at lists.katipo.co.nz
>> https://lists.katipo.co.nz/mailman/listinfo/koha

Andy Boze, Associate Librarian
University of Notre Dame
208A Hesburgh Library
(574) 631-8708

More information about the Koha mailing list