Restrict Access to ERPNext website based on device

Hi Everyone,
The company I work with wishes to deploy ERPNext but as part of the requirements we would require that the site is only accessible from selected devices, that is we would prefer the site to only be accessible to devices resident in any of our stores/offices and some selected mobile devices
I have considered the following ideas

  1. The Use of IP Addresses: This involves setting the Nginx to restrict access to certain IPs , but Given that their internet service provider does not operate using a static IP address, the IP address can be changed at any point which will entail frequent modification of Nginx settings

  2. Using Mac Address: This way only Mac addresses from trusted devices are allowed to access the site, but since ERPNext is mainly browser-based we would have to force each device to transmit Mac address and block all unrecognized Mac Addresses, I am not entirely sure if Nginx supports Mac address filtering, but Nonetheless this is a less reliable technique given that Mac addresses can be spoofed.

Has anyone implemented this sort of structure previously?
Any ideas or suggestions would be greatly appreciated.

1 Like

I’m not sure a Mac address is accessible from the browser though.

You can “allow” IP addresses in nginx and perhaps restrict or redirect others…

At the server level, you can use IPtables, Firewall to filter MAC address:

https://www.cyberciti.biz/tips/iptables-mac-address-filtering.html

For future reference (drop all except allowed MAC):
sudo iptables -A INPUT -p tcp --dport 443 -m mac ! --mac-source YOUR-MAC-ADDRESS-HERE -j DROP

This is to control access within a LAN/WAN but MAC addresses cannot be transmitted by browsers.

Yes - browser does not transmit MAC but communication at the interface level sees it. So if restricting to LAN - IP range can be specified for “allow” within nginx. And/or MAC filtering can be deployed on ERPNext server IPtables.

Hmm… I am not so sure this would be easy to implement across several brick and mortar locations. If there were say 5 stores and 2 regional offices, this kind of filtering could be quite difficult to setup and maintain.

Just my thoughts…

BKM

My thoughts as well. VPN use would allow intranet IP address for all locations? Offcourse MAC filtering at the server level would complicate things if running a multi-tenant setup. As the permitted MAC address would have have access to all sites on server… ?

For the stores/offices, I feel the easiest solution is modifying your ERPNext web server’s firewall. Only allow inbound HTTP traffic from certain IP subnets. As mentioned above, modifying iptables directly will give you fantastic control. But there’s a learning curve, if you’ve never worked with it.

Certain Linux distributions (Ubuntu?) ship with ufw (Uncomplicated Firewall), which is a wrapper for iptables. Some people find ufw easier to use and modify.

I’ve never tried mac address filtering with iptables and ERPNext. Adding that to my “To Try” list.

VPN would work too. Although I wonder if it would cause headaches with non-ERPNext websites and IP addresses, because of routing/DNS/etc.

Thanks Brian,

But what about scenarios where several machines - only one of which you would want to allow - possess the same IP?

Re MAC address filtering: if browser/http(s) don’t transmit MAC addresses, how can we filter based on them?

As an example. Let’s assume our ERPNext server is in the cloud. It’s in a “production configuration”, so Nginx is configured and enabled.

First, you configure the server’s firewall so the Default action is to drop all inbound HTTP connections. This ensures that no device, anywhere, can communicate with the server using TCP 80 or 443.

Each of those physical locations (office, brick & mortar stores), should have only a few public, static IP addresses. The devices behind them on the LAN will have unknown IPs, on Private Network subnets. However, the gateway router will use NAT and modify the packets. The outside world will just see the public, static IP.

You modify your ERPNext server’s firewall, and allow Inbound TCP 80/443 from only those few IPs. This solves Part 1 of the OP’s question, where he wants to restrict connections to certain stores/locations. Any device on the office LAN could access the ERPNext web server. Regardless of machine IP, browser make or model.

In theory, you could use the same solution for mobile devices. Instead of safelisting IPs, you safelist MAC Addresses. It’s not perfect. MAC addresses can be spoofed. But it should work. I say “should” only because I haven’t personally tested this with ERPNext.

Nothing above requires modifying ERPNext, Nginx, browsers, etc. It’s all done in Linux firewalls.

That solves the OP’s question:

But if you don’t care about a device’s location? An interesting alternative is modifying ERPNext’s authentication routines. So that instead of Username + Password, it authenticates differently. Perhaps with public+private keys. In that scenario, the device can communicate over any network, provided it possesses the correct key files.

1 Like

I do not believe this is the normal case. Most businesses I setup with ERPNext are using it from a cloud VPS server and their public IP address is not static. It changes on some schedule just like your home internet service and almost always changes if the power to the modem is lost for even a brief period. Static IP addresses for these sites usually adds another $70 to $100 to the monthly bill. Out of the last 5 systems I started up, only one opted for a static IP address and then dropped it several months later when it was deemed not a necessity.

In really big organizations, static IP’s are common, but that is not usually the target audience for ERPNext, do I don’t think it is all that common.

Anyone else agree or disagree? It might be interesting to see how this works in other regions since I am limited to my small part of the country.

BKM

1 Like

Great point. I’ve had the opposite experience, and mostly dealt with customers/sites with static IPs. But that’s certainly not universal. If the customer’s physical site IP is dynamic, you’ll need a solution like VPN, shared keys, etc.