NEBULA - IPGUARD (ACCESS CONTROL)

Nebula - IPGuard (Access Control)

Published November 2025

    •    Updated this week

Plugin details

Nebula - IPGuard (Access Control) is a powerful security plugin that allows you to restrict application access based on the user's public IP address. Perfect for internal systems, corporate apps, intranet setups, and any environment where you need employees or users to log in only from authorized networks.

Nebula - IPGuard (Access Control)

Description

Overview
Nebula – IPGuard (Access Control) brings enterprise-grade network restriction to Bubble apps with an intuitive, no-code interface.  
It allows you to authorize or deny access based on the user’s current public IP address — ensuring that only approved networks (such as office IPs) can access your application.

Ideal for businesses that want to protect internal systems, dashboards, CRMs, or any app that must only be accessed inside the company network.

How It Works
Client IP Detection: the plugin’s element automatically fetches the user’s public IP when the page loads.
Server-Side Validation: the SSA compares the captured IP with a whitelist of authorized IPs or CIDR ranges.
Accurate Matching: supports exact IPs (e.g., 187.57.174.99) and full CIDR ranges (e.g., 187.57.174.0/24).
Workflow Integration: easily trigger logouts, redirects, alerts, or logs depending on authorization results.
Enterprise Reliability: works entirely inside Bubble — no external servers or webhooks required.

When to Use
To restrict access to internal dashboards or administrative areas.
When your app should only be usable inside the company office/network.
To block logins coming from VPNs, residential networks, or unauthorized locations.
For SaaS apps that need IP-based security rules for certain roles or subscriptions.
To comply with internal IT policies where network-level access is mandatory.

Benefits
Adds an essential layer of security to Bubble apps.
Simple IP management using a Bubble property or database list.
Ensures users only access your system from safe, recognized networks.
No need for custom servers, scripts, or API infrastructure.
Lightweight, fast, and designed for production environments.

Key Features
Automatic IP Detection: the plugin element fetches the user’s public IP client-side.
Server-Side Validation (SSA): ensures the validation logic is secure and workflow-friendly.
Supports IP Lists & CIDR: whitelist single IPs or entire ranges.
High Compatibility: works with any Bubble workflow, action, or database setup.
Access Logging: integrate into your own logging system to track allowed/denied attempts.
Zero Dependencies: no external backend or third-party API required.

$100

One time • Or $10/mo

 stars   •   0 ratings

2 installs  

This plugin does not collect or track your personal data.

Platform

Web & Native mobile

Contributor details

Nebula

Joined 2023   •   24 Plugins

View contributor profile

Instructions

Usage Guide

1. Installation
Install the Nebula – IPGuard (Access Control) plugin from the Bubble plugin tab.
Place the element Nebula – IPGuard Finder anywhere on the page you want to protect.
No visual configuration is needed — the element works silently in the background.

2. Core Functionality
The plugin uses a two-step approach:
Client-side detection: the element automatically retrieves the user's public IP address as soon as the page loads.
Server-side validation (SSA): workflow action Check IP Access validates the IP against your allowed IP list.

3. Plugin Element (Client Side)
The element exposes the following real-time state:

Current User IP (text): the public IP address detected on the user's browser.

Usage:
Place the element once per page.
Use its state in workflows, conditions, or the server-side action.

4. Server-Side Action: Check IP Access
This action securely validates the user's IP on the server side.

Inputs
Client IP (text): usually set to Nebula - IPGuard Finder.
Allowed IP List (text list): list of authorized IPs or CIDR ranges.

Returned Values
Current User IP (text): normalized IP used in validation.
allowed (yes/no): whether the client IP is authorized.
reason (text): "ok", "ip_not_authorized", "invalid_ip_format", or other validation results.

5. Allowed IP Formats
You may authorize:

Single IPs: 192.51.170.99
Multiple IPs: 192.51.170.99, 31.123.46.90
CIDR Ranges: 192.51.170.0/24 (all IPs between 192.51.170.0 and 192.51.170.255)
Bubble text lists: directly using dynamic lists from the database.

6. How to Use in Workflows
A common workflow to protect a page:

Step 1: Trigger an event (e.g., Page is loaded, or a custom trigger).
Step 2: Run Check IP Access
Set Client IP = Nebula – IPGuard Finder Current User IP
Set Allowed IP List = List of IPs from DB or static list
Step 3: Add conditions:
If Check IP Access's allowed is "no":
Log the user out
Redirect to a "Not Authorized" page
Show an alert explaining restricted access
If allowed is "yes": continue loading normally

7. Best Practices
Place the element at the top of the page hierarchy to ensure the IP is fetched immediately.
Use a database field for authorized IPs if you need easy updates without republishing the app.
If your app has multiple protected pages, use a reusable element containing the IPGuard workflow logic.
Consider redirecting unauthorized traffic to a branded error page instead of a generic message.
Use CIDR blocks to authorize entire office networks (e.g., 10.1.0.0/16).

8. Example Use Cases
Corporate Internal Systems: allow access only from office IPs or VPN gateways.
Admin Dashboards: add a security layer beyond login credentials.
SaaS Tiered Access: restrict certain features for clients based on IP regions.
Compliance Requirements: enforce access rules aligned with internal IT policies.

9. Troubleshooting
The IP is always unauthorized: check if allowed list contains spaces, hidden characters, or object fields.
The client_ip is empty: ensure the element is on the page and not hidden inside conditions preventing initialization.
CIDR not matching: validate your CIDR format (e.g., /24, /16).
Dynamic lists not working: confirm the list is being passed as a Bubble text list, not as a single object.

10. Support
For documentation, updates, and support, visit: https://nebulapps.com.br
You can also reach the Nebula team via the contact form or email available on the website.

Types

This plugin can be found under the following types:

Element   •   Action

Resources

Support contact

Documentation

Tutorial

Rating and reviews

No reviews yet

This plugin has not received any reviews.

Product

Bubble for

Discover

Learn

Resources

Community

Company

Legal

Bubble uses cookies

Bubble uses cookies. By using our service you consent to all cookies in accordance with our Cookie Policy. Read more

Save & Close

I agree

I disagree

Show details

Strictly necessary

Performance

Targeting

Functionality

Unclassified

Cookie declaration

About cookies

Strictly necessary

Performance

Targeting

Functionality

Unclassified

Strictly necessary cookies allow core website functionality such as user login and account management. The website cannot be used properly without strictly necessary cookies.

Cookie report
Name	Provider / Domain	Expiration	Description
usprivacy	.bubble.io	1 year	This cookie stores the user's consent state regarding tracking and privacy in compliance with the United States privacy regulation.
__cf_bm	Cloudflare Inc. .calendly.com	29 minutes 45 seconds	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
__cf_bm	Cloudflare Inc. .clutch.co	29 minutes 55 seconds	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
li_gc	LinkedIn Corporation .linkedin.com	5 months 4 weeks	Used to store guest consent to the use of cookies for non-essential purposes
__cf_bm	Cloudflare Inc. .transformo.io	29 minutes 57 seconds	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
meta_u1main	.bubble.io	Session
__cf_bm	Cloudflare Inc. .lu.ma	29 minutes 44 seconds	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
meta_live_u2main.sig	.bubble.io	2 days 23 hours
_GRECAPTCHA	Google LLC www.google.com	5 months 4 weeks	Google reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cf_bm	Cloudflare Inc. .producthunt.com	29 minutes 57 seconds	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
_GRECAPTCHA	Google LLC www.recaptcha.net	5 months 4 weeks	Google reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
_gd_session	bubble.io	4 hours	This cookie manages user sessions on the website, ensuring that user interactions are recognized across various web requests. This helps in providing a consistent and accurate user experience.
_scid	Snap Inc. .bubble.io	1 year 1 month
opt_out	.postrelease.com	1 year	This cookie is used to track the user's decision to opt out of cookies on the website, indicating they have chosen not to have their data used for tracking and personalisation purposes.
AWSALBCORS	Amazon.com Inc. storm.birdie.so	6 days 23 hours	For continued stickiness support with CORS use cases after the Chromium update, we are creating additional stickiness cookies for each of these duration-based stickiness features named AWSALBCORS (ALB).
VISITOR_PRIVACY_METADATA	YouTube .youtube.com	5 months 4 weeks	This cookie is used to store the user's consent and privacy choices for their interaction with the site. It records data on the visitor's consent regarding various privacy policies and settings, ensuring that their preferences are honored in future sessions.
__cf_bm	Cloudflare Inc. .lumacdn.com	29 minutes 58 seconds	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
_tt_enable_cookie	.bubble.io	2 months 4 weeks	This cookie is used to remember the user's preferences regarding the use of cookies on the website.
AWSALBCORS	Amazon.com Inc. app.birdie.so	1 week	For continued stickiness support with CORS use cases after the Chromium update, we are creating additional stickiness cookies for each of these duration-based stickiness features named AWSALBCORS (ALB).
__cf_bm	Cloudflare Inc. .t.co	29 minutes 44 seconds	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
__cf_bm	Cloudflare Inc. .twitter.com	29 minutes 44 seconds	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
__cf_bm	Cloudflare Inc. .vimeo.com	29 minutes 58 seconds	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
__session	.gitbook.com	1 year 1 month	This cookie is used to maintain an anonymized user session by the server.
meta_live_u2main	.bubble.io	2 days 23 hours
CookieScriptConsent	CookieScript .bubble.io	1 year 1 month	This cookie is used by Cookie-Script.com service to remember visitor cookie consent preferences. It is necessary for Cookie-Script.com cookie banner to work properly.
meta-firebase_workflow	.bubble.io	59 minutes 21 seconds

Performance cookies are used to see how visitors use the website, eg. analytics cookies. Those cookies cannot be used to directly identify a certain visitor.

Cookie report
Name	Provider / Domain	Expiration	Description
X-AB	Stack Exchange Inc. sc-static.net	1 day
_ga_G4MHXCYE4T	.bubble.io	1 year 1 month	This cookie is used by Google Analytics to persist session state.
m	Stripe m.stripe.com	1 year 1 month	This cookie is generally used for performance and optimization of payment processing services, facilitating caching of content on the browser to make pages load faster.
_ttp	.bubble.io	2 months 4 weeks	This cookie is used to track user interaction and behavior on the website for site performance and usage analysis. This information is used to improve the user experience and optimize the website's functionality.
analytics_session_id	Cakemail .bubble.io	1 year	This cookie tracks user behavior throughout the session on the website, collecting data such as how long a visitor stays on a page and what links they click on. This information is used to improve user experience and website performance.
data-c	Media.net .media.net	4 weeks 2 days	This cookie is used to collect information on user behavior and interaction to enhance the user experience and measure website performance.
_gd_visitor	bubble.io	1 year 1 month	This cookie is used to track visitors' interactions with the website, collecting data on their behavior for analytics purposes. It helps in understanding how users engage with the site, which parts of the site are most visited, and how the navigation flow is structured, aiming to improve the user experience and site performance.
_ttp	.tiktok.com	2 months 4 weeks	This cookie is used to track user interaction and behavior on the website for site performance and usage analysis. This information is used to improve the user experience and optimize the website's functionality.
analytics_session_id.last_access	.bubble.io	1 year	This cookie is used to store the time of the last access by a user in an analytics session, helping in understanding user engagement and the effectiveness of the website content.
_ga_BFPVR2DEE2	.bubble.io	1 year 1 month	This cookie is used by Google Analytics to persist session state.
ahoy_visit	Teachable store.bubble.io	4 hours	This cookie is used to track a visitor's session, helping to understand how users interact with the site to improve user experience and functionality.
_ga_5Q4JP8E2X4	.bubble.io	1 year 1 month	This cookie is used by Google Analytics to persist session state.
_ga_CEPZJCHM3K	.bubble.io	1 year 1 month	This cookie is used by Google Analytics to persist session state.
data-c-ts	Media.net .media.net	4 weeks 2 days	This cookie is used to time-stamp and perform a time sync for users' sessions, ensuring accurate session time tracking.
_ga	Google LLC .bubble.io	1 year 1 month	This cookie name is associated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.
_ga_Y168TZXEQ5	.bubble.io	1 year 1 month	This cookie is used by Google Analytics to persist session state.
ajs_anonymous_id	Segment.io Inc. .bubble.io	1 year	These cookies are generally used for Analytics and help count how many people visit a certain site by tracking if you have visited before. This cookie has a lifespan of 1 year.
c	.bidswitch.net	1 year	This cookie is used to identify the frequency of visits and how the visitor accesses the website. It collects data on the user's visits to the website, such as which pages have been read.

Targeting cookies are used to identify visitors between different websites, eg. content partners, banner networks. Those cookies may be used by companies to build a profile of visitor interests or show relevant ads on other websites.

Cookie report
Name	Provider / Domain	Expiration	Description
YSC	Google LLC .youtube.com	Session	This cookie is set by YouTube to track views of embedded videos.
personalization_id	Twitter Inc. .twitter.com	1 year 1 month	This cookie carries out information about how the end user uses the website and any advertising that the end user may have seen before visiting the said website.
CMPRO	Casale Media Inc. .casalemedia.com	2 months 4 weeks	These cookies are linked to advertising and tracking the products users were looking at.
_scid_r	.bubble.io	1 year 1 month	This cookie is used for tracking purposes, helping to identify unique visitors across sessions and track their interactions and engagement on the website.
tv_UICR	.tremorhub.com	4 weeks 2 days	This cookie is used to track user interactions and engagement with the website's content to improve the service and content delivery. It can collect data on user behavior and preferences to facilitate targeted advertising and marketing strategies.
VISITOR_INFO1_LIVE	Google LLC .youtube.com	5 months 4 weeks	This cookie is set by Youtube to keep track of user preferences for Youtube videos embedded in sites;it can also determine whether the website visitor is using the new or old version of the Youtube interface.
tvid	Tremor Video DSP .tremorhub.com	1 year	This cookie is used for tracking user interaction and engagement with the website's content, helping in the improvement and optimization of online services provided. It may also be used for delivering personalized advertising experiences.
uid	.criteo.com	1 year	This cookie provides a uniquely assigned, machine-generated user ID and gathers data about activity on the website. This data may be sent to a 3rd party for analysis and reporting.
_uetsid	Microsoft Corporation .bubble.io	1 day	This cookie is used by Bing to determine what ads should be shown that may be relevant to the end user perusing the site.
lidc	Microsoft Corporation .linkedin.com	1 day	This is a Microsoft MSN 1st party cookie that ensures the proper functioning of this website.
_uetvid	Microsoft Corporation .bubble.io	1 year 3 weeks	This is a cookie utilised by Microsoft Bing Ads and is a tracking cookie. It allows us to engage with a user that has previously visited our website.
addshoppers	shop.pe	1 year 1 month	This cookie is used to track user interaction and sharing behavior on social media platforms, enabling personalized marketing and social media sharing capabilities.
_gcl_au	Google LLC .bubble.io	3 months	Used by Google AdSense for experimenting with advertisement efficiency across websites using their services
addshoppers.com	bubble.io	1 year 1 month	This cookie is associated with the AddShoppers social sharing platform, a technology that integrates with websites to enable tracking and sharing capabilities across social networks. It supports social media integration and can gather data regarding sharing and social interactions on the site to help understand user influence and to enhance marketing strategies.
CMID	Casale Media Inc. .casalemedia.com	1 year	These cookies are linked to advertising and tracking the products users were looking at.
bcookie	Microsoft Corporation .linkedin.com	1 year	This is a Microsoft MSN 1st party cookie for sharing the content of the website via social media.
tuuid_lu	.bidswitch.net	1 year	Contains a unique visitor ID, which allows Bidswitch.com to track the visitor across multiple websites. This allows Bidswitch to optimize advertisement relevance and ensure that the visitor does not see the same ads multiple times.
tuuid	.bidswitch.net	1 year	This cookie is mainly set by bidswitch.net to make advertising messages more relevant to the website visitor.
_fbp	Meta Platform Inc. .bubble.io	2 months 4 weeks	Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers
ab	.agkn.com	1 year	This cookie is generally provided by agkn.com and is used for advertising purposes.
demdex	Adobe Inc. .demdex.net	5 months 4 weeks	This cookie helps Adobe Audience Manger perform basic functions such as visitor identification, ID synchronization, segmentation, modeling, reporting, etc.
sc_at	Snap Inc. .snapchat.com	1 year
MUID	Microsoft Corporation .bing.com	1 year	This cookie is widely used my Microsoft as a unique user identifier. It can be set by embedded microsoft scripts. Widely believed to sync across many different Microsoft domains, allowing user tracking.
dpm	Adobe Inc. .dpm.demdex.net	5 months 4 weeks	Adobe Audience Manager - data management platform uses this cookie to record information around synchronisation of IDs.
CMPS	Casale Media Inc. .casalemedia.com	2 months 4 weeks	These cookies are linked to advertising and tracking the products users were looking at.

Functionality cookies are used to remember visitor information on the website, eg. language, timezone, enhanced content.

Cookie report
Name	Provider / Domain	Expiration	Description
ajs_anonymous_id	Segment.io Inc. .loom.com	1 year 1 month	These cookies are generally used for Analytics and help count how many people visit a certain site by tracking if you have visited before. This cookie has a lifespan of 1 year.
loom_anon_comment	Loom .loom.com	1 year 1 month	This cookie is used to differentiate anonymous users when they leave comments on holaspirit.com, enabling the identity of the commenter to remain unknown for privacy.
_cfuvid	.vimeo.com	Session	This cookie is used for purposes of tracking users across sessions to optimize user experience by maintaining session consistency and providing personalized services.
__stripe_mid	Stripe Inc. .bubble.io	1 year	This cookie is set by Stripe to distinguish users and enable secure payment processing during interactions with the website.
_cfuvid	.calendly.com	Session	This cookie is used for purposes of tracking users across sessions to optimize user experience by maintaining session consistency and providing personalized services.
ajs_anonymous_id	Segment.io Inc. demo.arcade.software	1 year	These cookies are generally used for Analytics and help count how many people visit a certain site by tracking if you have visited before. This cookie has a lifespan of 1 year.
__stripe_sid	Stripe Inc. .bubble.io	29 minutes 58 seconds	This cookie is set by Stripe to manage and process payments securely, allowing temporary storage of session related information during a users visit to the website.
loom_referral_video	Loom, Inc. .www.loom.com	Session	This cookie is used to track referrals and video plays across the website, enabling the website to attribute video views to the correct referral sources.
MSPTC	Microsoft .bat.bing.com	1 year	This cookie is used to track user engagement and interaction with the website to enhance customer experience and website functionality. It may collect information about how users navigate and use the site, helping to identify preferences and improve service delivery.
visitor-id	Media.net .media.net	1 year	This cookie is used to identify unique visitors across the website to provide a consistent and personalized experience.

Unclassified cookies are cookies that do not belong to any other category or are in the process of categorization.

Cookie report
Name	Provider / Domain	Expiration
__Secure-ROLLOUT_TOKEN	.youtube.com	5 months 4 weeks
ttcsid	.bubble.io	2 months 4 weeks
intercom-device-id-cz703g22	.bubble.io	8 months 4 weeks
intercom-session-cz703g22	.bubble.io	1 week
kwsu	ciqtracking.com	1 year 1 month
CrossDomainCookieScriptConsent_239	.crossdomain.cookie-script.com	1 year 1 month
__BROWSER__	store.bubble.io	Session
ahoy_visitor	store.bubble.io	1 year 1 month
bubble-certifications_live_u2main	.certification.bubble.io	3 days
_ScCbts	.bubble.io	1 week
_brilliant_session	.bubble.io	Session
bubble-certifications_live_u2main.sig	.certification.bubble.io	3 days
ttcsid_CRGSJIJC77UAMBH9S77G	.bubble.io	2 months 4 weeks
bubble-certifications_u1main	.certification.bubble.io	Session
_iub_cs-57859130-uspr	.bubble.io	1 year
intercom-id-cz703g22	.bubble.io	8 months 4 weeks
muc_ads	Twitter .t.co	1 year 1 month
upgrade_pv_1487181547537x364191731148390400	bubble.io	1 week

Cookies are small text files that are placed on your computer by websites that you visit. Websites use cookies to help users navigate efficiently and perform certain functions. Cookies that are required for the website to operate properly are allowed to be set without your permission. All other cookies need to be approved before they can be set in the browser.

You can change your consent to cookie usage at any time on our Privacy Policy page.

Your consent will also apply to the following websites:

bubble.io
flusk.eu

Nebula - IPGuard (Access Control)

Plugin details

$100

One time • Or $10/mo

Other actions

Platform

Contributor details

Instructions

Types

Categories

Resources

Rating and reviews

No reviews yet