I have a firewall rule which together with annotations allows only access to actions as specific user.
Additionally I would love to block ANY login if it is not coming from a certain network. Searching for a solution I came across additional access_control rules following this guide.
The problem there is, if I restrict my login page via IP rules. I always get an ERR_TOO_MANY_REDIRECTSerror if someone tries to reach it. I would rather love to have a "Page not Found" message to not even make someone from outside aware there could be any login.
How can I do this with Symfony?
security.yml:
security:
...
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
default:
form_login:
provider: fos_userbundle
login_path: /login
use_forward: false
logout: true
anonymous: true
access_control:
- { path: ^/logout$, role: ROLE_ADMIN }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https, ips: [127.0.0.1, fe80::1, ::1]}
- { path: ^/login$, roles: ROLE_NO_ACCESS }
- { path: ^/admin, role: ROLE_ADMIN, requires_channel: https}
If I am not mistaken, what Symfony does here, is try and match the role of the user to what is required for the path. If it doesn't match one of those roles, it sends the user to the login page.
The problem is, the login page is where the user has just come from. Thus the user gets into an infinite loop as their condition can never be met.
I would suggest putting the login page itself outside of the firewall and just put the IP check within the code of the LOGIN page and if not met, dump out somewhere else, which isn't within the firewall.