⚠️ Status: untested. This extension is provided as-is and has not been tested in production. Please feel free to fork, modify, improve, and open pull requests.Licensed under GNU GPLv3 (see LICENSE).
Screens storefront visitors against the ip-block.com IP-screening service and blocks flagged IP addresses. Built and verified against OpenCart 4.1.0.3.
- Runs as early as possible on storefront requests via an event registered on
catalog/controller/*/before(fires before the main page controller runs). - Because the trigger is
catalog/-prefixed, the admin application never loads it -- you cannot be locked out of the back office. - Determines the real client IP (optionally from
CF-Connecting-IP/X-Forwarded-For). - Sends
POST https://api.ip-block.com/v1/checkwith a 1 second timeout. - Blocks the visitor only when the API returns
{"action":"block"}. - On any error/timeout/non-2xx response it applies the fail mode (default fail open = allow).
- Caches each decision (default 300s) keyed by
md5(ip|user_agent|referrer)using OpenCart's native cache. - Always honours the whitelist.
- Copy the contents of
upload/into your OpenCart root, so the extension lives atextension/ipblock/. (Or zip the extension per the OpenCart marketplace layout and upload it via Extensions > Installer.) - Go to Extensions > Extensions, choose Modules from the dropdown, find IP Block Protection, and click the + (Install) button. Installing registers the storefront event automatically.
- Click the pencil (Edit) button to configure.
| Setting | Purpose |
|---|---|
| Enable protection | Master on/off switch. |
| Site ID | Your ip-block.com site identifier. |
| API key | Your ip-block.com API key (sent in the request body). |
| API URL | Endpoint. Default https://api.ip-block.com/v1/check. |
| Fail open | On API failure: Yes = allow (default), No = block. |
| Cache TTL | Seconds to cache a decision. 0 = check on every request. Default 300. |
| Behind a proxy/CDN | Read real IP from CF-Connecting-IP / X-Forwarded-For. |
| Block action | redirect (default) to the blocked page, or message (HTTP 403). |
| Block message | Text shown when Block action = message. |
| Whitelist | IP addresses never blocked, one per line. |
upload/extension/ipblock/
├── install.json Extension metadata
├── admin/
│ ├── controller/module/ipblock.php Settings + install()/uninstall() (event register)
│ ├── language/en-gb/module/ipblock.php Admin language strings
│ └── view/template/module/ipblock.twig Settings form
├── catalog/
│ └── controller/module/ipblock.php Event guard (the .guard callback)
├── system/
│ └── library/ipblock/
│ ├── client.php HTTP POST client (1s timeout)
│ └── checker.php Whitelist + cache + fail mode + real IP
└── README.md
- Settings are stored in the
settingtable under themodule_ipblockgroup; the API key is stored there in clear text (OpenCart has no native at-rest encryption for settings) -- restrict DB/admin access accordingly. - The event is registered with code
ipblock; uninstalling the module removes it. - Uninstall does not delete stored settings, so re-installing keeps your config.