Restrict IP

A security module that restricts access to a Drupal site based on IP address whitelisting, with support for path-based rules and country-based filtering.

restrict_ip

1,761 sites

drupal.org

gui api

security access control ip restriction firewall site protection authentication

Drupal 10 Drupal 11

Install

Drupal 11, 10 v5.0.1

composer require 'drupal/restrict_ip:^5.0'

Overview

The Restrict IP module allows administrators to control who can access their Drupal site by maintaining a whitelist of allowed IP addresses. When enabled, any visitor whose IP address is not in the allowed list will be redirected to an access denied page with a customizable message.

The module provides flexible configuration options including support for both IPv4 and IPv6 addresses, IP address ranges, path-based whitelisting/blacklisting to exempt or target specific pages, role-based bypass permissions, and country-based filtering when used with the IP-based Determination of a Visitor's Country (ip2country) module.

For blocked users, the module renders a minimal page without blocks, JavaScript, or other page elements to prevent any unintended content exposure. Administrators can customize the access denied page through hooks and optionally display a contact email address for users to request access.

Features

IP address whitelisting with support for individual IPv4/IPv6 addresses and IPv4 address ranges
Path-based access control with whitelisting (exclude specific paths from checking) or blacklisting (check only specific paths)
Role-based IP restriction bypass allowing logged-in users with specific permissions to access the site regardless of IP
Country-based access control (whitelist or blacklist by country) when integrated with the ip2country module
Customizable access denied page with optional contact email display
Logging of blocked access attempts to Drupal's database log (dblog)
Minimal page rendering for blocked users removing all blocks, JavaScript, menus and tabs
IP addresses can be configured via admin UI or directly in settings.php for emergency access recovery
Drush command support for enabling/disabling IP restrictions without admin access
Hooks for customizing the access denied page, whitelisting theme regions, and whitelisting JavaScript files

Use Cases

Staging/Development Site Protection

Restrict access to a staging or development site to only your office IP addresses or VPN. Configure the whitelist with your team's IP addresses and enable restrictions. All external visitors will see the access denied page.

Intranet-Only Access

Create an intranet site accessible only from within your organization's network. Whitelist your organization's internal IP ranges and enable restrictions to prevent external access.

Geographic Access Control

Restrict site access to users from specific countries. Enable the ip2country module integration and configure country whitelisting or blacklisting. For example, whitelist only your home country to reduce malicious traffic from other regions.

Admin Section Protection

Keep the main site public but restrict admin paths to specific IP addresses. Set the path checking mode to blacklist and add admin paths like /admin/*, /node/*/edit, etc. Only whitelisted IPs can access admin functions.

Temporary Maintenance Restriction

During maintenance, restrict access to only development team IPs while updating the site. When complete, disable restrictions to restore public access.

Role-Based Access with IP Backup

Allow authenticated users with specific roles to bypass IP restrictions while still blocking anonymous visitors from non-whitelisted IPs. Enable role bypass and assign the 'Bypass IP Restriction' permission to trusted roles.

Tips

Always add your current IP address to the whitelist before enabling restrictions - your current IP is displayed on the configuration page
Use settings.php for emergency IP whitelist entries that cannot be accidentally removed through the UI
Path patterns support wildcards (*) - use /admin/* to match all admin paths
IP address ranges only work with IPv4 addresses in the format AAA.BBB.CCC.XXX - AAA.BBB.CCC.YYY or AAA.BBB.CCC.XXX-YYY
The Drush command (drush ripd disable) is invaluable for regaining access when locked out
Comments can be added to the IP address list using // or /* */ syntax for documentation

Dependencies

Block Core Required

User Core Required

Related Projects

IP-based Determination of a Visitor's Country (ip2country)

When the ip2country module is installed, Restrict IP can filter access based on the visitor's country. Countries can be whitelisted (only allow access) or blacklisted (deny access).

Database Logging (dblog)

When dblog is enabled, the option to log blocked access attempts becomes available. Logged entries include the blocked path and IP address.

Technical Details

IP Address Whitelist /admin/config/people/restrict_ip

Configure IP-based access restrictions for the site. Manage whitelisted IP addresses, path-based rules, role bypass settings, and country-based filtering options.

Administer Restricted IP addresses

Allows the user to access and modify the Restrict IP module configuration, including managing whitelisted IP addresses and all related settings.

Bypass IP Restriction

Allows users with this permission to access the site regardless of their IP address. This permission is only available when 'Allow restrict IP to be bypassed by role' is enabled in the module configuration.

hook_restrict_ip_whitelisted_regions

Allows modules or themes to whitelist specific page regions that should still be rendered for blocked users.

hook_restrict_ip_whitelisted_js_keys

Allows modules or themes to whitelist specific JavaScript files that should still be loaded for blocked users.

hook_restrict_ip_access_denied_page_alter

Allows modules or themes to alter the access denied page content, including adding, removing, or modifying elements, or performing redirects.

drush restrict_ip:disable [enable|disable]

Enable or disable IP restrictions without accessing the admin interface. Useful for regaining access when locked out.

I locked myself out of the site

Add the following line to sites/default/settings.php: $config['restrict_ip.settings']['enable'] = FALSE; This disables restrictions allowing you to access the site and fix your settings. Alternatively, use Drush command: drush ripd disable

IP whitelisted in settings.php is not working

Ensure you are using the correct configuration key: $config['restrict_ip.settings']['ip_whitelist'] = ['111.111.111.1']; The value must be an array of IP addresses.

Country-based filtering is not available

Install and enable the IP-based Determination of a Visitor's Country (ip2country) module. Run composer require drupal/ip2country and enable the module.

Users are blocked even with correct IP

Check if you are behind a proxy or load balancer. The module uses Symfony's getClientIp() which respects trusted proxy headers. Ensure your proxy settings are correctly configured in settings.php.

Ensure your server correctly passes the client IP address - behind load balancers or CDNs, additional configuration may be required
The ip_whitelist setting in settings.php provides a secure fallback that cannot be modified through the admin UI
When using role bypass, ensure the 'Bypass IP Restriction' permission is only granted to trusted roles
Email addresses displayed on the access denied page are obfuscated but can still be harvested - consider this when adding contact information
Logged access attempts may contain sensitive path information - ensure database logs are properly secured