|
| 1 | +--- |
| 2 | +title: IP Access Control (dr_path.def) |
| 3 | +sidebar_label: IP Access Control by Database |
| 4 | +sidebar_position: 4 |
| 5 | +--- |
| 6 | + |
| 7 | +# Database IP Access Control |
| 8 | + |
| 9 | +The ABCD allows you to restrict access to specific databases based on the client's IP address. This is particularly useful for databases that contain sensitive information or resources licensed exclusively for local network use. |
| 10 | + |
| 11 | +**Script:** `inc_ip_check.php` |
| 12 | +**Configuration File:** `bases/[db]/dr_path.def` |
| 13 | + |
| 14 | +## How It Works |
| 15 | + |
| 16 | +When a user attempts to access a database (for example, through `inicio.php`), the system checks the database's directory path definition file (`dr_path.def`) for a specific security parameter called `VALID_IP`. |
| 17 | + |
| 18 | +* **Public Access:** If the `VALID_IP` parameter is not present in the file, the database is public and can be accessed from any IP address. |
| 19 | +* **Restricted Access:** If the parameter is present, the system will block access unless the user's IP matches one of the allowed addresses. |
| 20 | +* **Local Network Exemption:** By design, clients connecting from local network addresses (IPv4 `169.254.x.x` or IPv6 `fe80::`) are always allowed to access the database, bypassing the external IP check. |
| 21 | + |
| 22 | +## Configuration (`VALID_IP`) |
| 23 | + |
| 24 | +To enable this restriction, you must edit the `dr_path.def` file located in the specific database folder. |
| 25 | + |
| 26 | +**File Location:** `bases/[db]/dr_path.def` |
| 27 | + |
| 28 | +You can configure the allowed IPs using a comma-separated list or block all external access completely. |
| 29 | + |
| 30 | +### Examples of Usage |
| 31 | + |
| 32 | +**A. Allow Specific IP Addresses:** |
| 33 | +Add the IPs separated by commas. Only these external IPs (plus the local network) will be granted access. |
| 34 | +```ini |
| 35 | +VALID_IP=192.168.1.100,203.0.113.45,203.0.113.46 |
| 36 | + |
| 37 | +``` |
| 38 | + |
| 39 | +**B. Block All External Access:** |
| 40 | +If you want the database to be strictly internal and inaccessible to any external IP, use the `none` keyword. |
| 41 | + |
| 42 | +```ini |
| 43 | +VALID_IP=none |
| 44 | + |
| 45 | +``` |
| 46 | + |
| 47 | +## Technical & Security Notes |
| 48 | + |
| 49 | +* **Proxy Detection:** The script includes logic to detect the real IP address of the client even if the server is behind a proxy or load balancer. It checks headers such as `HTTP_X_FORWARDED_FOR` and `HTTP_X_REAL_IP` before falling back to `REMOTE_ADDR`. |
| 50 | +* **Enforcement:** The `inc_ip_check.php` script provides the verification logic (returning `true` or `false`). The actual blocking action (showing a warning or denying access) is enforced by the scripts that call this function, such as the search initialization scripts. |
| 51 | + |
| 52 | +--- |
| 53 | + |
| 54 | +## How to Configure via UI |
| 55 | + |
| 56 | +You do not need to edit the configuration files manually. The ABCD Central module provides a direct graphical interface to manage these permissions. |
| 57 | + |
| 58 | +**Step-by-Step:** |
| 59 | +1. Log in to the **Central Module** of ABCD. |
| 60 | +2. Select the target database from the main top-left dropdown menu. |
| 61 | +3. On the main menu, click on **Update database definitions**. |
| 62 | +4. Then, select **Advanced database settings (dr_path.def)**. |
| 63 | +5. In the form that opens, ensure you are on the **Database** tab. |
| 64 | +6. Scroll down to the bottom and locate the **Valid IP adresses** field. |
| 65 | + |
| 66 | + |
| 67 | + |
| 68 | + |
| 69 | +*(Note: Replace the image path above with the correct path where you save your screenshot).* |
| 70 | + |
| 71 | +## Configuration Options |
| 72 | + |
| 73 | +In the **Valid IP adresses** field, you can define the access rules using the following formats: |
| 74 | + |
| 75 | +* **Public Access (Default):** Leave the field **empty**. An empty value allows all client addresses to access the database. |
| 76 | +* **Specific External IPs:** Enter valid internet client IPs separated by commas (e.g., `192.168.1.100,203.0.113.45`). Only these specified external addresses will be granted access. |
| 77 | +* **Strictly Local Access:** Enter the word `None`. This blocks all external internet addresses, limiting access solely to local network addresses. |
| 78 | + |
| 79 | +:::info Local Network Exemption |
| 80 | +By design, clients connecting from Link-Local network addresses (IPv4 `169.254.x.x` or IPv6 `fe80::`) are **always allowed**, regardless of the restrictions applied in this field. |
| 81 | +::: |
| 82 | + |
| 83 | +## Technical Notes (Proxy & VPN) |
| 84 | + |
| 85 | +* **Proxy Detection:** The underlying system script (`inc_ip_check.php`) is capable of detecting the real client IP even if your ABCD server is situated behind a proxy, load balancer, or CDN. It automatically checks HTTP headers such as `HTTP_X_FORWARDED_FOR` and `HTTP_X_REAL_IP` to validate the correct origin address. |
| 86 | +* **Rejection Behavior:** If a user accesses the system from an unauthorized IP, the script flags the access as invalid, allowing the calling application (like the OPAC or Central portal) to display a warning and block the visualization of the restricted database. |
0 commit comments