internal_network

IP-based access control for blocks, Twig templates, routes, and menu items. Show/hide content based on the visitor's network using CIDR notation.

Features

The Internal Network module provides comprehensive IP-based access control for Drupal. It enables conditional rendering of blocks, Twig template content, routes, and menu items based on configurable IP ranges using standard CIDR notation.

Whether you need to show internal-only content to office users, restrict login pages to VPN networks, or create intranet sections on a public site, this module provides the tools you need.

### Key Features

**Block Visibility Condition**
- Show or hide any block based on the visitor's IP address
- Integrates with Drupal's standard block visibility system
- Per-block IP range overrides (or use global configuration)
- Works with any block type

**Twig Extension for Template Conditions**
- `is_internal_network()` function for use in any Twig template
- Conditionally render content based on the visitor's network
- Support for custom IP ranges per call
- Graceful fallback patterns available

Example:
```twig
{% if is_internal_network() %}

This content is only visible to internal users.

{% endif %}
```

**Route Access Restriction**
- Block access to any Drupal route based on the visitor's IP
- Configure allowed IP ranges using CIDR notation
- Choose between 403 Forbidden response or a redirect to the homepage
- Works with reverse proxies (respects X-Forwarded-For headers)

**Automatic Menu Link Hiding**
- Menu items linking to restricted routes are automatically hidden
- Uses a JavaScript-based approach that preserves full page caching
- No extra configuration needed - just restrict a route
- Graceful degradation when JavaScript is disabled

**Global Configuration**
- Central configuration page for IP ranges
- Enable/disable logging of access decisions
- Test mode for development without being on the internal network
- Configurable test header for IP spoofing

**Developer-Friendly API**
- Service: `internal_network.helper` for programmatic access
- Twig function with optional parameter overrides
- AJAX endpoint `/internal-network/status` for client-side detection
- Comprehensive PHPUnit test suite

### Use Cases

- **Intranet Content**: Show internal announcements, links, or tools only to office users
- **Security Hardening**: Restrict login, registration, or password reset to internal networks
- **Staged Rollouts**: Show new features to internal users before public release
- **Administrative Shortcuts**: Display admin links only to users on trusted networks
- **Development/Staging Access**: Protect non-production environments
- **Compliance**: Ensure sensitive content is only accessible from approved networks

### How It Works

1. **IP Detection**: The module detects the visitor's IP address, respecting X-Forwarded-For headers for reverse proxy setups.

2. **CIDR Matching**: IP addresses are checked against configured ranges using standard CIDR notation (e.g., `192.168.0.0/16`, `10.0.0.0/8`).

3. **Caching-Friendly**: Route blocking happens before page cache. Menu hiding uses JavaScript to preserve full page caching while still personalizing the display.

4. **Logging**: Optional logging of all access decisions helps with debugging and auditing.

Post-Installation

### Configuration

Navigate to `/admin/config/system/internal-network` to configure:
- Internal IP ranges (CIDR notation, one per line)
- Enable/disable logging
- Enable/disable route restriction
- Routes to restrict (Drupal route names)
- Action for blocked routes (deny or redirect)
- Test mode settings