Network Filter: Restrict Admin Access by Network
Overview
The NetworkFilter
setting allows you to restrict access to the admin panel based on the user’s network:
Full admin access is allowed only from the internal (On-Prem / AD) network
External users (e.g., via Internet) cannot access the admin interface
Authentication protocols (SAML, OIDC, WS-Fed) and device connections (PC/mobile) still work from external networks
Use Case
A system administrator wants to prevent unauthorized access to the Hideez Enterprise Server admin panel from external networks. By enabling NetworkFilter
, only users connecting from the corporate network (e.g., office or VPN) can manage the system. External users can still authenticate to services but won’t be able to access server settings.
System Requirements
To enable this feature, you need:
A deployed instance of Hideez Enterprise Server (HES) with access to modify
appsettings.json
NGINX installed and running on a Linux server, acting as a reverse proxy in front of HES
Administrative access to configure both the HES backend and NGINX frontend
How to Enable Network Filter
Enabling NetworkFilter
requires two configuration steps:
Step 1: Configure Hideez Server (appsettings.json
)
appsettings.json
)On the server side, open the appsettings.json
file (located in the HES installation directory) and add or verify the following setting:
"ServerSettings":
"NetworkFilter": true
}
Step 2: Configure NGINX on Linux to Identify Internal IPs
On the NGINX side (running on Linux), configure IP detection and header injection.
Define internal network detection:
Add the following before your location
block:
# Determine whether the client IP belongs to the internal network
geo $is_local {
default 0;
# Example internal network
192.168.1.0/24 1;
# Example individual IP
10.10.100.1/32 1;
}
# Map the result to a value for the X-Local-Network header
map $is_local $x_source_type {
1 "true";
0 "false";
}
This logic evaluates the client’s IP address and sets the $x_source_type
variable accordingly.
Update your location block:
location / {
proxy_pass http://HES;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Local-Network $x_source_type;
}
Example Configuration File (appsettings.json
)
appsettings.json
){
"ConnectionStrings": {
"DefaultConnection": "server=127.0.0.1;port=3306;database=db;uid=user;pwd=password",
"Provider": "MySql"
},
"Logging": {
"LogLevel": {
"Default": "Debug",
"Microsoft": "Warning",
"Microsoft.Hosting.Lifetime": "Information"
}
},
"ServerSettings": {
"NetworkFilter": true
},
"AllowedHosts": "*"
Last updated
Was this helpful?