Restricting VCS operations to a set of trusted IP addresses


Is it possible to restrict all VCS operations to ensure that they originate from a set of trusted IP addresses? Basically, I want to enforce that all git operations originate from one of our office IP addresses. I could simply use security group rules to restrict access to port 22 of our load balancer, but I wanted to enforce this restriction at the application (Phabricator) level rather than at the network layer, for two reasons:

  1. I think that it provides for a better UX. Rather than attempting to git clone or git pull and wondering why it seems to be taking a while to connect, before eventually timing out, enforcing these restrictions within Phabricator itself would allow for a user-friendly error message to be returned instead.
  2. Restricting access to repositories using security group rules only works if we are considering git over SSH. Restricting git operations over HTTP/HTTPS is not possible from the load balancer, because it is indistinguishable from regular web traffic.

It seems like (although I haven’t verified) this could be done at the moment for git push operations by writing a custom Herald rule (although I don’t know whether the custom Herald rule would have access to the source IP address of the VCS request) and using the “Commit Hook” Herald rule.