Restricting certain projects based on IP

Any ip based solution that is piecemeal isn't going to really be encompassing enought be called "security."

If it really is necessary for some projects to have restricted access from offsite; I'd suggest moving these projects to a separate jira instance that is completely restricted from the outside world, then force people to either be in the private network or vpn to access this box.

The above is a pretty good summary of facts.

I'm not sure how this plugin you speak of works, so I couldn't really speak to how effective (from a security standpoint) that would be, but I believe the common advice of separating secure vs less secure elements and sequestering the more secure content in it's own jira instance that is controlled by more stringent network security rules is the best practice if content is deemed secret.

Many thanks for everyone who answered the question. Few things that I may need to highlight based on your answers to this question,

1. Apache/httpd URL filtering does not work. Projects can be blocked, issues can be blocked, but viewing attachments can't be blocked. Attachment URL does not contain any project ID.
2. Blocking projects won't prevent users from downloading project data in other formats.
3. Still IP spoofing is possible.

An alternative and intermediate solution would be restricting users based on their IP addresses, rather than the project. We accomplished that with an in-house built plugin.

Further RND is required to find out whether it is possible to implement any security mechanism like a public/ private key pair.

Cheers!

Why go with IP, I guess best is to have a permission scheme restriction and restrict those projects to only some set of users. This would also give them flexibility to login from any IP they want.

Don't forget that it's a doddle to spoof an ip address.

It is actually very simple to do it. The very basic solution is this:

1) Place an apache httpd in front of Jira (or ngix)

2) Configure the reverse proxy to access jira http://httpd.apache.org/docs/current/mod/mod_proxy.html

3) Use:

<LocationMatch "^/jira/browse/PRJKEY.*">

Require ip 192.168.0.0

</LocationMatch>

What I would do, though:

a) Alternatively, you can play with mod rewrite, and rewrite the request from home to point to a page which is says "This project is only accesible from office".

or

b) You can even augment the java application if you do not want to put apache httpd in front of your jira. Check this filter http://urlrewritefilter.googlecode.com/ I heard that it works ok.

There's nothing like that out of the box in Jira. Personally I agree with this response https://answers.atlassian.com/questions/30775/how-to-restrict-jira-access-browsing-only-to-a-certain-set-of-ip-s You should try to configure this on firewall level or put a web server infront of Jira.

You could set up some rules that would prevent access to issues and project itself based on user IP and target url that in general matches pattern http://[server]/jira/browse/[projectkey]-123 but this will have holes in it (you'll still be able to get search results, access xml view, etc.).

If you're into development you might create a proxy that would require authentication on first request, check the user agains Jira project assignements (e.g. using REST API) and then switch to pass-through mode if user is OK to access Jira or block the connection if not.