<h1 class="title">IP level access restriction</h1> <p><a class="reference external" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external" href="https://github.com/OCA/server-tools/tree/10.0/auth_ip_access"><img alt="OCA/server-tools" src="https://img.shields.io/badge/github-OCA%2Fserver--tools-lightgray.png?logo=github" /></a> <a class="reference external" href="https://translation.odoo-community.org/projects/server-tools-10-0/server-tools-10-0-auth_ip_access"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external" href="https://runbot.odoo-community.org/runbot/149/10.0"><img alt="Try me on Runbot" src="https://img.shields.io/badge/runbot-Try%20me-875A7B.png" /></a></p> <p>This module allows you to restrict who is allowed to login to Odoo based on the remote IP address. The restriction is applied upon login, and on RPC calls. Note: valid web sessions are not impacted, and access to the public website can not be restricted using this module.</p> <p>When a login is rejected because of a missing IP access rule, a warning is logged in the application log but no specific information is provided to the user that is trying to log on. Instead, a generic access denied error is generated (which is rendered in the web client as 'Wrong login/password'.</p> <p><strong>Table of contents</strong></p> <div class="contents local topic" id="contents"> <ul class="simple"> <li><a class="reference internal" href="#installation" id="id1">Installation</a></li> <li><a class="reference internal" href="#configuration" id="id2">Configuration</a></li> <li><a class="reference internal" href="#bug-tracker" id="id3">Bug Tracker</a></li> <li><a class="reference internal" href="#credits" id="id4">Credits</a><ul> <li><a class="reference internal" href="#authors" id="id5">Authors</a></li> <li><a class="reference internal" href="#contributors" id="id6">Contributors</a></li> <li><a class="reference internal" href="#other-credits" id="id7">Other credits</a></li> <li><a class="reference internal" href="#maintainers" id="id8">Maintainers</a></li> </ul> </li> </ul> </div> <a name="installation"></a> <h2><a class="toc-backref" href="#id1">Installation</a></h2> <p>Please make the python library py2-ipaddress available in the environment in which you run Odoo before installing this module.</p> <a name="configuration"></a> <h2><a class="toc-backref" href="#id2">Configuration</a></h2> <p>Go to menu <em>Settings -&gt; Technical -&gt; Security -&gt; IP Access Rules</em> to create access rules for the group whose access you want to limit. If no rules exist for the groups of a user, it is not restricted to login from anywhere.</p> <p>Each rule allows you to allow access for a specific group, or user, from IP address or an IP network (using a netmask, e.g. 192.168.0.1/24).</p> <p>Rules can be configured for a group, or for a user but not for both at the same time. If neither group or user is configured, the rule is applied globally.</p> <p>A special case is where you allow logins from <em>any</em> private network (e.g. networks in the 192.168.x.x or the 10.x.x.x ranges). You can create such a rule by ticking the <em>private</em> checkbox on the rule.</p> <p>If you accidentally lock yourself out you can regain access by accessing your Odoo database through SQL and execute the following command.</p> <pre> <code lang="SQL">UPDATE ip_access_rule SET active = FALSE;</code> </pre> <p>You will need to restart Odoo to clear the IP access cache. This will lift all IP access restrictions.</p> <p>Note: if you run Odoo behind a proxy (and you should, because where do you get your SSL encryption from?), you need to set <em>proxy_mode = True</em> in the Odoo configuration file to ensure that the remote address is properly propaged to Odoo and is not set to the IP address of the proxy server. A setup like this is dependent on the proxy server setting the correct remote address in the <em>X-Forwarded-For</em> header.</p> <a name="bug-tracker"></a> <h2><a class="toc-backref" href="#id3">Bug Tracker</a></h2> <p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-tools/issues">GitHub Issues</a>. In case of trouble, please check there if your issue has already been reported. If you spotted it first, help us smashing it by providing a detailed and welcomed <a class="reference external" href="https://github.com/OCA/server-tools/issues/new?body=module:%20auth_ip_access%0Aversion:%2010.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p> <p>Do not contact contributors directly about support or help with technical issues.</p> <a name="credits"></a> <h2><a class="toc-backref" href="#id4">Credits</a></h2> <a name="authors"></a> <h3><a class="toc-backref" href="#id5">Authors</a></h3> <ul class="simple"> <li>Opener B.V.</li> </ul> <a name="contributors"></a> <h3><a class="toc-backref" href="#id6">Contributors</a></h3> <ul class="simple"> <li>Stefan Rijnhart &lt;<a class="reference external" href="mailto:stefan&#64;opener.amsterdam">stefan&#64;opener.amsterdam</a>&gt;</li> </ul> <a name="other-credits"></a> <h3><a class="toc-backref" href="#id7">Other credits</a></h3> <ul class="simple"> <li>Some technical guidance was aquired from the module 'auth_brute_force' in this repository. A big thanks to the author of that module, Sylvan Le Gal and its subsequent contributors, especially Jairo Llopis for his work on making the remote address available at all times.</li> <li>The heavy lifting of this module is done by <a class="reference external" href="https://pypi.org/project/py2-ipaddress/">https://pypi.org/project/py2-ipaddress/</a>.</li> </ul> <a name="maintainers"></a> <h3><a class="toc-backref" href="#id8">Maintainers</a></h3> <p>This module is maintained by the OCA.</p> <a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a> <p>OCA, or the Odoo Community Association, is a nonprofit organization whose mission is to support the collaborative development of Odoo features and promote its widespread use.</p> <p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-tools/tree/10.0/auth_ip_access">OCA/server-tools</a> project on GitHub.</p> <p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>