<h1 class="title">IP level access restriction</h1>
<p><a class="reference external" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external" href="https://github.com/OCA/server-tools/tree/10.0/auth_ip_access"><img alt="OCA/server-tools" src="https://img.shields.io/badge/github-OCA%2Fserver--tools-lightgray.png?logo=github" /></a> <a class="reference external" href="https://translation.odoo-community.org/projects/server-tools-10-0/server-tools-10-0-auth_ip_access"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external" href="https://runbot.odoo-community.org/runbot/149/10.0"><img alt="Try me on Runbot" src="https://img.shields.io/badge/runbot-Try%20me-875A7B.png" /></a></p>
<p>This module allows you to restrict who is allowed to login to Odoo based on
the remote IP address. The restriction is applied upon login, and on RPC
calls. Note: valid web sessions are not impacted, and access to the public
website can not be restricted using this module.</p>
<p>When a login is rejected because of a missing IP access rule, a warning is
logged in the application log but no specific information is provided to the
user that is trying to log on. Instead, a generic access denied error is
generated (which is rendered in the web client as 'Wrong login/password'.</p>
<p><strong>Table of contents</strong></p>
<div class="contents local topic" id="contents">
<ul class="simple">
<li><a class="reference internal" href="#installation" id="id1">Installation</a></li>
<li><a class="reference internal" href="#configuration" id="id2">Configuration</a></li>
<li><a class="reference internal" href="#bug-tracker" id="id3">Bug Tracker</a></li>
<li><a class="reference internal" href="#credits" id="id4">Credits</a><ul>
<li><a class="reference internal" href="#authors" id="id5">Authors</a></li>
<li><a class="reference internal" href="#contributors" id="id6">Contributors</a></li>
<li><a class="reference internal" href="#other-credits" id="id7">Other credits</a></li>
<li><a class="reference internal" href="#maintainers" id="id8">Maintainers</a></li>
</ul>
</li>
</ul>
</div>
<a name="installation"></a>
<h2><a class="toc-backref" href="#id1">Installation</a></h2>
<p>Please make the python library py2-ipaddress available in the environment in which you run Odoo before installing this module.</p>
<a name="configuration"></a>
<h2><a class="toc-backref" href="#id2">Configuration</a></h2>
<p>Go to menu <em>Settings -> Technical -> Security -> IP Access Rules</em> to create
access rules for the group whose access you want to limit. If no rules exist
for the groups of a user, it is not restricted to login from anywhere.</p>
<p>Each rule allows you to allow access for a specific group, or user, from IP
address or an IP network (using a netmask, e.g. 192.168.0.1/24).</p>
<p>Rules can be configured for a group, or for a user but not for both at the
same time. If neither group or user is configured, the rule is applied
globally.</p>
<p>A special case is where you allow logins from <em>any</em> private network (e.g.
networks in the 192.168.x.x or the 10.x.x.x ranges). You can create such a
rule by ticking the <em>private</em> checkbox on the rule.</p>
<p>If you accidentally lock yourself out you can regain access by accessing
your Odoo database through SQL and execute the following command.</p>
<pre>
<code lang="SQL">UPDATE ip_access_rule SET active = FALSE;</code>
</pre>
<p>You will need to restart Odoo to clear the IP access cache. This will lift all IP access restrictions.</p>
<p>Note: if you run Odoo behind a proxy (and you should, because where do you get your
SSL encryption from?), you need to set <em>proxy_mode = True</em> in the Odoo
configuration file to ensure that the remote address is properly propaged to
Odoo and is not set to the IP address of the proxy server. A setup like this
is dependent on the proxy server setting the correct remote address in the
<em>X-Forwarded-For</em> header.</p>
<a name="bug-tracker"></a>
<h2><a class="toc-backref" href="#id3">Bug Tracker</a></h2>
<p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-tools/issues">GitHub Issues</a>.
In case of trouble, please check there if your issue has already been reported.
If you spotted it first, help us smashing it by providing a detailed and welcomed
<a class="reference external" href="https://github.com/OCA/server-tools/issues/new?body=module:%20auth_ip_access%0Aversion:%2010.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
<p>Do not contact contributors directly about support or help with technical issues.</p>
<a name="credits"></a>
<h2><a class="toc-backref" href="#id4">Credits</a></h2>
<a name="authors"></a>
<h3><a class="toc-backref" href="#id5">Authors</a></h3>
<ul class="simple">
<li>Opener B.V.</li>
</ul>
<a name="contributors"></a>
<h3><a class="toc-backref" href="#id6">Contributors</a></h3>
<ul class="simple">
<li>Stefan Rijnhart <<a class="reference external" href="mailto:stefan@opener.amsterdam">stefan@opener.amsterdam</a>></li>
</ul>
<a name="other-credits"></a>
<h3><a class="toc-backref" href="#id7">Other credits</a></h3>
<ul class="simple">
<li>Some technical guidance was aquired from the module 'auth_brute_force' in
this repository. A big thanks to the author of that module, Sylvan Le Gal
and its subsequent contributors, especially Jairo Llopis for his work on
making the remote address available at all times.</li>
<li>The heavy lifting of this module is done by <a class="reference external" href="https://pypi.org/project/py2-ipaddress/">https://pypi.org/project/py2-ipaddress/</a>.</li>
</ul>
<a name="maintainers"></a>
<h3><a class="toc-backref" href="#id8">Maintainers</a></h3>
<p>This module is maintained by the OCA.</p>
<a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a>
<p>OCA, or the Odoo Community Association, is a nonprofit organization whose
mission is to support the collaborative development of Odoo features and
promote its widespread use.</p>
<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-tools/tree/10.0/auth_ip_access">OCA/server-tools</a> project on GitHub.</p>
<p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>