From b5f414b98901eb65d286f317fc32bcf111cb70f8 Mon Sep 17 00:00:00 2001
From: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
Date: Wed, 24 Jul 2024 11:17:17 +0200
Subject: [PATCH] feat(admin): harden server with admin IP restrict

Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
---
 admin_manual/installation/harden_server.rst | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/admin_manual/installation/harden_server.rst b/admin_manual/installation/harden_server.rst
index a019868c359..cb4e585cb0b 100644
--- a/admin_manual/installation/harden_server.rst
+++ b/admin_manual/installation/harden_server.rst
@@ -177,6 +177,23 @@ information about the TLS settings.
 
 Also ensure that HTTP compression is disabled to mitigate the BREACH attack.
 
+Restrict admin actions to a specific range of IP addresses
+----------------------------------------------------------
+
+Configure ``allowed_admin_ranges`` in ``config.php`` to restrict the admin actions to trusted IP ranges.
+
+This can be achieved with this kind of setting, usually using private IP ranges::
+
+  'allowed_admin_ranges' => [
+    '127.0.0.1/8',
+    '192.168.0.0/16',
+    'fd00::/8',
+  ]
+
+All requests originating from IP addresses outside of these ranges will not be able to execute admin actions.
+
+Administrators connected from untrusted IP addresses will be able to use Nextcloud, but all admin specific actions will be hidden.
+
 Use a dedicated domain for Nextcloud
 ------------------------------------