⚠️ Status: untested. This extension is provided as-is and has not been tested in production. Please feel free to fork, modify, improve, and open pull requests.Licensed under GNU GPLv3 (see LICENSE).
Screens front-end requests through the ip-block.com IP-screening service and blocks disallowed visitors as early as possible in the request lifecycle. Works with Drupal core and Drupal Commerce.
- Platform: Drupal 11 (current stable, tested against 11.4.x; also supports Drupal 10 via
core_version_requirement: ^10 || ^11). - Machine name:
ipblock_protection
A high-priority KernelEvents::REQUEST event subscriber
(src/EventSubscriber/IpBlockSubscriber.php) runs before page rendering. For
each main front-end request it:
- Skips admin-area requests (both resolved admin routes and
/admin,/user/login,/core/...path prefixes) so the operator is never locked out. - Resolves the real client IP (honouring Behind proxy:
CF-Connecting-IP, then the firstX-Forwarded-Forhop). - Always allows whitelisted IPs (never sent to the service).
- Looks up a cached decision keyed by
md5(ip|user_agent|referrer)in the default cache bin. - On a cache miss, calls the ip-block.com API and caches the decision.
- Blocks only when the API returns
{"action":"block"}.
POST https://api.ip-block.com/v1/check
Content-Type: application/json
{"api_key": "...", "site_id": "...", "ip": "...", "user_agent": "...", "referrer": "..."}
Response {"action":"allow"} or {"action":"block"}. A 1 second timeout is
enforced. On any error, timeout, non-2xx response or missing action, the
configured fail mode applies (default: fail open = allow).
- Copy the
ipblock_protectionfolder tomodules/custom/in your Drupal site (i.e.web/modules/custom/ipblock_protection). - Enable it:
drush en ipblock_protectionor via Extend in the UI. - Configure at Administration › Configuration › System › IP Block
Protection (
/admin/config/system/ipblock-protection).
| Setting | Default | Notes |
|---|---|---|
| Enabled | off | Master switch. |
| Site ID / API key | empty | Supplied by ip-block.com. |
| API URL | https://api.ip-block.com/v1/check |
|
| Fail open | on | Allow visitors when the service errors/times out. |
| Cache TTL | 300 |
Seconds. 0 = check every request. |
| Behind proxy | off | Trust CF-Connecting-IP / X-Forwarded-For. |
| Block action | redirect |
redirect to blocked page, or 403 message. |
| Block message | Access denied. |
Used when action is message. |
| Whitelist | empty | One IP per line, always allowed. |
ipblock_protection/
├── ipblock_protection.info.yml
├── ipblock_protection.services.yml
├── ipblock_protection.routing.yml
├── ipblock_protection.links.menu.yml
├── config/install/ipblock_protection.settings.yml
├── config/schema/ipblock_protection.schema.yml
├── src/IpBlockClient.php
├── src/IpBlockChecker.php
├── src/EventSubscriber/IpBlockSubscriber.php
└── src/Form/SettingsForm.php