Restrict access to Anvil app to specific IP-range

Anvil Q&A
#1

Would it be possible to limit access to a specific Anvil app to clients from a specific IP-range/network?
The goal of course would be as an additional security measure.

TIA

#2

In the server module the following code:

def convert_ipv4(ip):
  return tuple(int(n) for n in ip.split('.'))

def check_ipv4_in(ip_addr, ip_start, ip_end):
  return convert_ipv4(ip_start) < convert_ipv4(ip_addr) < convert_ipv4(ip_end)

  
def reject_users_outside_valid_ipv4_range():
  
  valid_ipv4_range = ('1.1.0.0', '255.255.255.255') #this is your valid range of IP addresses
  
  if not check_ipv4_in( anvil.server.context.client.ip, *valid_ipv4_range ):
    anvil.users.logout()
    return False
  return True

then simply guard all sensitive server calls by adding the function

reject_users_outside_valid_ipv4_range()

to any or all functions inside your module code.

if you are using uplink, wrap your uplink function inside a server module function and pass through the data from your external uplink. (User data does not get passed though implicitly to the uplink unless you pass it yourself and do the same validation.)

Edit:
FYI
Further ways to secure the uplink would include a secret key passed only from your anvil server modules to your uplink, this check would render direct access from an anvil browser app form code to your uplink via a server call impossible if you wanted to restrict it by adding this secret-key check since server module code is opaque to the end user.

Even more FYI:
the country location is also available if it is something you want / want to restrict, it is available through:
anvil.server.context.client.location.country
you could do a:

if not anvil.server.context.client.location.country in ('United States', 'Latvia', 'Unknownistan', 'Elbonia', 'etc'):
  anvil.users.logout()
  return False
4 Likes
Getting user's IP address in an app
Is all Anvil client-side code de facto open source?
Access logs for media downloads
Ensuring a single login per user
#3

also… with CIDR notation and python 3:

import ipaddress

def reject_users_outside_valid_ip_cidr():
  
  valid_network = ipaddress.ip_network('192.168.0.0/23') #this is your valid range of IP addresses in CIDR notation
  
  if not ipaddress.ip_address(anvil.server.context.client.ip) in valid_network  :
    anvil.users.logout()
    return False
  return True
3 Likes
#4

I completely missed your extensive answers! Thanks!

2 Likes