FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    How to Restrict FusionAuth Admin Panel Access by IP Address

    Scheduled Pinned Locked Moved Solved
    Q&A
    login security
    1
    2
    333
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wesley
      last edited by

      Is it possible to restrict which source IPs can access our FusionAuth admin panel (https://company-sso.fusionauth.io/admin/)? I noticed the Settings > IP Access Control section in the admin panel and was wondering if we can use it to whitelist our office IPs. We recently noticed a suspicious user account created from an IP address in another country, which raised concerns about who can log in and from where.

      W 1 Reply Last reply Reply Quote 0
      • W
        wesley @wesley
        last edited by wesley

        Here’s how you can approach securing access to your FusionAuth instance:

        • IP Access Control Lists (ACL):
          You can define IP Access Control Lists in FusionAuth by navigating to Settings > IP Access Control in the Admin UI.
          • Click the + icon to create a new ACL list.
          • Add entries for each IP address or range you want to allow or block.
          • Assign these ACLs to specific tenants or API keys as needed.
        • Important Note:
          IP ACLs restrict access to endpoints like /oauth2/, /account/, /email/, /password/, /registration/, and other user-accessible pages. However, they do not restrict access to the FusionAuth Admin UI unless the Admin UI is accessed via SSO.
          Documentation: IP ACL API Overview
        • Secure the Admin UI:
          Since IP ACLs do not directly secure the Admin UI, consider the following options:
          • Use a Trusted Proxy:
            Place a trusted proxy at the edge of your network to filter incoming traffic before it reaches FusionAuth. The proxy can enforce IP-based restrictions or other security rules. In FusionAuth, configure your proxy under System > Networking, where you can specify the proxy’s IP address. If a request doesn’t go through the trusted proxy, FusionAuth will deny access.
            Documentation: FusionAuth Networking
          • Login Lambda for Additional Validation:
            Implement a Login Lambda to validate login attempts further. This Lambda allows you to execute custom code during login, such as checking the origin IP or other request details to block unauthorized attempts.
            Documentation: Login Lambdas
        • Recommended Next Steps:
          • Configure IP ACLs for your tenants and API keys to secure application-level access.
          • Implement a trusted proxy to filter admin panel access based on source IP.
          • Use a Login Lambda for additional request-level security, if needed.

        By combining these approaches, you can enhance the security of your FusionAuth deployment and mitigate unauthorized access.

        1 Reply Last reply Reply Quote 0
        • W wesley has marked this topic as solved
        • First post
          Last post