Skip to main content

Overview

IP and subnet restrictions provide network-level access control for your shared files. You can limit access to specific IP addresses or entire network ranges using CIDR notation, ensuring only authorized networks can access your content.

Use Cases

  • Restrict file access to corporate office networks
  • Limit downloads to specific VPN endpoints
  • Allow access only from trusted data centers
  • Provide region-specific content distribution
  • Implement client-specific access controls

Configuration Fields

Access restrictions are configured using two array fields in the Access model (see models/access.go:11-12): 
Subnets []string `gorm:"type:text[]"` // Array of subnets
IPs     []string `gorm:"type:text[]"` // Array of IPs

IPs Array

A list of individual IPv4 or IPv6 addresses that are allowed to access the file. Example: 
"ips": ["203.0.113.45", "198.51.100.22", "2001:db8::1"]

Subnets Array

A list of network ranges in CIDR notation that are allowed to access the file. Example: 
"subnets": ["192.168.1.0/24", "10.0.0.0/8", "2001:db8::/32"]
1

Identify target networks

Determine which IP addresses or subnets should have access to your file.
2

Format in CIDR notation

Convert network ranges to proper CIDR notation (e.g., 192.168.1.0/24).
3

Create access link

Include ips and/or subnets arrays in your access creation request.
4

Test access

Verify that access works from allowed networks and is blocked from others.

API Examples

curl -X POST https://your-defdrive-instance.com/files/42/access \
  -H "Authorization: Bearer YOUR_AUTH_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Admin Access Only",
    "public": true,
    "ips": ["203.0.113.45"]
  }'

CIDR Notation Reference

CIDR (Classless Inter-Domain Routing) notation specifies IP address ranges using a base IP and prefix length.

Common IPv4 Subnet Masks

CIDRSubnet MaskUsable IPsDescription
/32255.255.255.2551Single host
/31255.255.255.2542Point-to-point link
/30255.255.255.2522Small network
/29255.255.255.2486Tiny network
/28255.255.255.24014Very small network
/27255.255.255.22430Small network
/26255.255.255.19262Small network
/25255.255.255.128126Medium network
/24255.255.255.0254Standard subnet
/16255.255.0.065,534Large network
/8255.0.0.016,777,214Very large network

Example Subnet Calculations

CIDR: 192.168.1.0/24
Range: 192.168.1.0 - 192.168.1.255
Usable: 192.168.1.1 - 192.168.1.254
Hosts: 254

Access Validation Logic

When a user attempts to access a file via an access link, DefDrive performs network validation checks (see middleware/access_restrictions.go:82-111).

Subnet Check Implementation

func checkSubnetRestriction(access models.Access, c *gin.Context) bool {
    if len(access.Subnets) > 0 {
        ip := c.ClientIP()
        for _, subnet := range access.Subnets {
            _, parsedSubnet, err := net.ParseCIDR(subnet)
            if err == nil && parsedSubnet.Contains(net.ParseIP(ip)) {
                return true
            }
        }
        c.JSON(http.StatusForbidden, gin.H{"error": "Access restricted to specific subnets"})
        c.Abort()
        return false
    }
    return true
}
Process:
  1. Get client’s IP address
  2. Parse each CIDR subnet
  3. Check if client IP falls within any subnet
  4. Allow access if match found
  5. Deny access if no match found

IP Check Implementation

func checkIPRestriction(access models.Access, c *gin.Context) bool {
    if len(access.IPs) > 0 {
        ip := c.ClientIP()
        for _, allowedIP := range access.IPs {
            if ip == allowedIP {
                return true
            }
        }
        c.JSON(http.StatusForbidden, gin.H{"error": "Access restricted to specific IPs"})
        c.Abort()
        return false
    }
    return true
}
Process:
  1. Get client’s IP address
  2. Compare against each allowed IP
  3. Allow access on exact match
  4. Deny access if no match found
If both ips and subnets arrays are empty, no IP restriction is enforced and access is allowed from any IP address (subject to other restrictions).

Restriction Behavior

Combined Restrictions

When both ips and subnets are specified, access is granted if the client IP matches either list: 
{
  "ips": ["203.0.113.45"],
  "subnets": ["192.168.1.0/24"]
}
Access allowed from:
  • 203.0.113.45 (exact IP match)
  • 192.168.1.1 through 192.168.1.254 (subnet match)

Empty Arrays

If both arrays are empty or omitted, no IP/subnet restriction is applied: 
{
  "ips": [],
  "subnets": []
}
This allows access from any IP address, making it suitable for public file sharing.

Error Responses

Subnet Restriction Denied

{
  "error": "Access restricted to specific subnets"
}
HTTP Status: 403 Forbidden This error occurs when:
  • The subnets array is not empty
  • Client IP doesn’t fall within any specified subnet
  • No matching IP in the ips array

IP Restriction Denied

{
  "error": "Access restricted to specific IPs"
}
HTTP Status: 403 Forbidden This error occurs when:
  • The ips array is not empty
  • Client IP doesn’t match any specified IP
  • No matching subnet in the subnets array

Testing Restrictions

To test your IP restrictions, you can check your current IP: 
curl https://api.ipify.org
Then verify access: 
curl -v https://your-defdrive-instance.com/ACCESS_LINK_HASH
Be careful when setting IP restrictions. If you lock yourself out, you’ll need to update the access record through the API from an allowed IP or delete and recreate the access link.

Updating Restrictions

You can modify IP/subnet restrictions on existing access links: 
curl -X PUT https://your-defdrive-instance.com/access/15 \
  -H "Authorization: Bearer YOUR_AUTH_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Updated Restrictions",
    "public": true,
    "ips": ["198.51.100.99"],
    "subnets": ["192.168.2.0/24"]
  }'

Best Practices

  1. Use Subnets for Organizations - Use CIDR notation for entire office networks rather than listing individual IPs
  2. Combine with Other Restrictions - Layer IP restrictions with TTL, one-time use, and expiration for maximum security
  3. Test Before Sharing - Verify access works from intended networks before distributing links
  4. Document Your Networks - Keep track of which subnets are used for which purposes
  5. Consider Dynamic IPs - Home/mobile users may have changing IPs; subnets may be more reliable than specific IPs
  6. Use /32 for Single Hosts - Specify individual IPs using /32 CIDR notation for consistency

Private Network Ranges

Commonly used private IP ranges (RFC 1918):
  • 10.0.0.0/8 - Large private networks (10.0.0.0 - 10.255.255.255)
  • 172.16.0.0/12 - Medium private networks (172.16.0.0 - 172.31.255.255)
  • 192.168.0.0/16 - Small private networks (192.168.0.0 - 192.168.255.255)

Next Steps

Build docs developers (and LLMs) love

Get started for freeTalk to us