Pantheon Community

IP-Based allow list for access to a site or organization's non-live sites

As a larger organization, we need to protect our development environments really well. With many random people throughout out organization needing access to dev or stage (or even multidev) environments, sharing a cleartext password is not the most efficient way to handle access, and the password can leak very easily.

The easiest way to do this is to implement an IP allow-list for https traffic. While we can implement a block like that in PHP, it doesn’t protect the files directory which still may contain confidential or embargoed data.

Normally we can do this via htaccess, vhost config, nginx directive, firewall settings, or reverse proxy configuration. However, those are not options on pantheon (except the reverse proxy for AGCDN, which is not in front of the dev environments).

It would be cool to be able to provide a list of allowed IPs (a list of IPs, Ranges of IPs, CIDR). Bonus points for allowing the option to allow-list CI tools like CircleCI or GitHub actions

Thanks for sharing! We will make sure this feedback makes it to the team. Feel free to encourage others to also upvote on this!