Both Kerberos and API token auth can be limited to specific IP address ranges.
The screenshow below shows how IP restrictions can be configured. The default is for every client will receive a Kerberos challenge. In the screenshot, all clients except any IP starting with 172.* will receive a challenge.
It’s possible to use a blocked list or a unblocked list strategy, depending on what is most convenient for your environment. Both lists allow either prefix notation or regular expression syntax, which is enabled by starting with ^.
...
| Note |
|---|
IP restrictions only support IPv4 addresses. |
IP restrictions limit the use of features to a subset of IP addresses on the network. Typical use cases for configuring IP restrictions is to limit access to the local network, exclude devices known not to support a feature, or restrict which IP addresses should be allowed to communicate with your Atlassian application.
IP restrictions are currently available for Kerberos, Kerberos for REST, and API Tokens.
Restriction modes
The restriction modes are used to specify how to restrict access based on the unblocked list and blocked list. The possible modes are No restriction, Allow, and Deny.
No restriction
| Status | ||
|---|---|---|
|
No restriction based on IP addresses.
Allow
Only IP addresses specified in the unblocked list are enabled. If an address matches both lists, the blocked list takes precedence. As such, you can specify IP ranges in the unblocked list and override specific IP addresses with the blocked list.
...
Deny
All IP addresses are enabled except those specified in the blocked list. If an address matches both lists, the unblocked list takes precedence. As such, you can specify IP ranges in the blocked list and override specific IP addresses with the unblocked list.
...
IP address matching syntax
When adding IP addresses to the unblocked and blocked list, you can use a combination of full Ip addresses, IP address prefixes, and regular expressions.
Full IP addresses
Use the full IP address to target a specific device.
| Code Block |
|---|
192.168.1.1 |
IP address prefix
Use IP address prefix to target a range of IP addresses. This syntax targets all IP addresses starting with the given prefix.
| Code Block |
|---|
192.168.1. |
Regular expressions
If you need even more control when targeting IP addresses, you can create your own matching rules using regular expressions.
| Code Block |
|---|
^1.*\.168\.1\..*$ |
...
NOTE: For Kantega Single Sign-on to evaluate IP restrictions correctly when behind a reverse proxy, the IP address must be communicated to the Atlassian application. See the yellow notification box in the below screenshot, which tells you the IP currently “seen” by the application.
...