Open valentijnscholten opened 8 months ago
zuavra
commented
8 months ago Can you please describe the approve/deny logic that would fit your use case?
I think that adding a config header that disables the timeouts (or using very long timeouts) in combination with a "-netmask-allow" would accomplish what you mean, but let's make sure.
valentijnscholten
commented
8 months ago The use case is that there can be ip addresses or ranges that should be allowed always. For example some kind of office / company / family network that you don't want to burden with generating/distributing/rotating access keys and TOTP secrets.
But for addresses outside those ranges you want the existing behaviour of being able to whitelist ips using the token in the url.
I believe the x-nipw-netmask-allow header won't work because it will reject anything that doesn't match the provided netmasks? It could work with a x-nipx-netmask-allow-always or something instead.
zuavra
commented
8 months ago I understand. I will look into it.
For some use cases it's nice/needed to be able to have some ips or cidrs whitelisted by default without timeout.
I know this is possible to configure in nginx itself, but that would make these ips/ranges invisible inside nipw admin portal.