How do you restrict access to a Meteor site based on IP

I would like to restrict access to my site based on the IP address of the client. For example, if an user’s IP address has had past transgressions on my site, I want to effectively block it.

I know how to access the IP address in Meteor Methods (ip = this.connection.clientAddress;), but now I want to know how I can block it from access.

1 Like

Something like this?

// Server.js
Meteor.onConnection(function (connection) {
  // Check if connected client has their IP banned
  if (BannedIPs.findOne({IP: connection.clientAddress})) {
    // Close/deny connection
    connection.close();
  }
})

More info: http://docs.meteor.com/#/full/meteor_onconnection
Relevant package: https://github.com/mizzao/meteor-user-status

4 Likes

I know I’m a bit late to a party.
But here are my 2 cents.
Looks like when Dpp is disconnected it immediately tries to connect.
So client will try to connect indefinitely.

2 Likes

Now I’m blocking request on the server side using picker it works!

const pickerFilter = (req, res) => {
  const ip = req.connection.remoteAddress || req.headers['x-forwarded-for'];
  console.log('ip', ip);
  const whiteListIpOnly = Meteor.settings.public.whiteListIpOnly || process.env.WHITELIST_IPS_ONLY;
  // Check if connected client has their IP banned
  if (whiteListIpOnly){
    if (!Ips.findOne({ address: ip})){
      return true;
    }
  } else {
    if (Ips.findOne({ address: ip })) {
      return true;
    }
  }
}

Picker.filter(pickerFilter).middleware((req, res) => {
  res.writeHead(404);
  res.end();
});
3 Likes

Where in the Server code did you put this? Startup?

I’ve just put it in file server/index.js
I haven’t used Meteor.startup

Which is defined in package.json

  "meteor": {
    "mainModule": {
      "client": "startup/client/index.js",
      "server": "startup/server/index.js"
    }
  },
1 Like