Require US IP

[colinxfleming]

Thanks for creating an issue! Please fill out this form so we can be sure to have all the information we need, and to minimize back and forth.

• What are we trying to do?

We got a request from France the other day. I think it was fine (someone using a VPN) but would be nice to cut this kinda stuff off, so let's investigate ways to ban non-US requesters.

• What feature or behavior is this required for?

security

• How could we solve this issue? (Not knowing is okay!)

Probably there's a rack extension that does this?

• Anything else?

[elimbaum]

Do we necessarily want to prevent people from using VPNs, though (especially considering work-from-home trends)? Maybe something like fail2ban (i.e. blacklist, not whitelist) makes more sense if we're worried about DoS + brute force proection.

[colinxfleming]

We have something similar to fail2ban in place now (rack-attack iirc, which I think is essentially the same guard).

I don't mind VPNs necessarily, but I don't think there's a good reason someone for someone to connect to DARIA from a machine outside the states - that's way more likely to be a red flag than it is a proper human I think!

[xmunoz]

Just to throw a wrench into this issue thread: I'm in Ecuador currently. For most of my work, I VPN into Miami, but sometimes I forget and directly connect to an instance to validate a deployment or triage an issue.

[colinxfleming]

leaving this here as a note https://developers.cloudflare.com/waf/tools/ip-access-rules/

[xmunoz]

Yup, there are definitely straight-forward ways to block unwanted requests using Cloudflare's WAF. Though my concern about whether we really want to still stands.