Using Access Filter to Limit Files to Campus and the VPN

Category
Developers
Site Administrators
Drupal Version
Drupal 10

A Drupal module called Access Filter combined with a private filesystem can be used to limit file access to campus and VPN IPs only.  For most cases, that's just as good as using forced logins via CAS authentication without the headaches of having a user account created on your Drupal site for every person who accesses one of your protected pages or files.

Important: Drupal access control modules will only work with a private filesystem, as Drupal does not actually handle access requests for files uploaded to public file fields (it lets Apache handle those requests for maximum speed).  If you do not already have a private filesystem set up, you will need to configure your site to use a private filesystem.

Instructions for Installing and Configuring Access Filter

  1. Configure your site with a private filesystem and make sure it is working correctly.

  2. Install the Access Filter module like you would any other Drupal module.

  3. Once you have the module installed, go to the Administrative Toolbar, to Configuration -> People -> Access filters and create a new filter with the following components:

    Conditions:
- { type: path, path: /system/files/campusonly/* }

Rules: 
- { type: ip, action: deny, address: '*' }
- { type: ip, action: allow, address: 130.207.0.0/16 }
- { type: ip, action: allow, address: 128.161.0.0/16 }
- { type: ip, action: allow, address: 143.215.0.0/16 }
- { type: ip, action: allow, address: 192.93.8.0/24 }
- { type: ip, action: allow, address: 10.0.0.0/8 }
- { type: ip, action: allow, address: 172.16.0.0/12 }
- { type: ip, action: allow, address: 100.64.0.0/10 }

Repsonse Code:
302

Redirect URL:
/campusonly

    Make sure that path in the condition matches up with the path that your Secure File field is using, so that the rule will apply to all files uploaded to that field.

  4. Finally, make a generic page at the path "/campusonly" that will tell outside users that the content they're trying to access is available on-campus or via the VPN only.

Now, any regular content manager can simply upload campus-only files to the Secure File field (created when setting up a private filesystem) on the related page and then link to the file like they would do for a normal file attachment. When accessed from on-campus or the VPN, the user simply gets the file. When accessed from off-campus, the user gets redirected to that /campusonly page.