Is it possible to restrict all VCS operations to ensure that they originate from a set of trusted IP addresses? Basically, I want to enforce that all
git operations originate from one of our office IP addresses. I could simply use security group rules to restrict access to port 22 of our load balancer, but I wanted to enforce this restriction at the application (Phabricator) level rather than at the network layer, for two reasons:
- I think that it provides for a better UX. Rather than attempting to
git pulland wondering why it seems to be taking a while to connect, before eventually timing out, enforcing these restrictions within Phabricator itself would allow for a user-friendly error message to be returned instead.
- Restricting access to repositories using security group rules only works if we are considering
gitover SSH. Restricting
gitoperations over HTTP/HTTPS is not possible from the load balancer, because it is indistinguishable from regular web traffic.
It seems like (although I haven’t verified) this could be done at the moment for
git push operations by writing a custom Herald rule (although I don’t know whether the custom Herald rule would have access to the source IP address of the VCS request) and using the “Commit Hook” Herald rule.