Feature Request: Option to Automatically Disable Admin Panel Access from External IPs

[Blacks-Army]

Hi,

I’d like to propose a feature that could enhance the security of the admin interface:

Add an option to automatically disable the admin panel if the incoming request originates from an external IP address.

For example:
- Allow access to the admin panel only from private/internal IP ranges (e.g. 192.168.x.x, 10.x.x.x, 172.16.x.x–172.31.x.x).
- Automatically deny or disable the admin panel endpoint when accessed from public/external IPs.

This could be implemented as a configuration option, such as:

ADMIN_ACCESS_RESTRICT_TO_INTERNAL=true

Or possibly allow a list of allowed CIDR ranges:

ADMIN_ALLOWED_IP_RANGES=192.168.0.0/16,10.0.0.0/8

This would reduce the risk of brute-force or unauthorized attempts on the admin panel, especially in environments where Vaultwarden is exposed to the public internet, but you still want to manage it safely from within your local network.

Thanks for considering it!

[BlackDex]

Sounds more like a reverse proxy setting to me. Most reverse proxies allow stuff like this, and they can even add basic auth or other checks in front.

[Blacks-Army]

Yes, it could be done via a reverse proxy and I’m currently using a reverse proxy to block the admin page.

I just thought it could be a nice optional feature for simpler setups without a proxy in front. Would add a bit of extra security with minimal config.

Nextcloud and Jellyfin do the same thing and I liked it this way, as it is more comfortable.