diff --git a/config.py.example b/config.py.example
index 6a2747491b3be01af107c3149c9aa9aef0233f6c..19ad921d65699e378145762d715c06ed37be4398 100644
--- a/config.py.example
+++ b/config.py.example
@@ -26,3 +26,4 @@ SQLITE_INIT_DATA = True
 #LDAP_HOST = 'ldaps://rumo.fsmpi.rwth-aachen.de'
 #ICAL_URL = 'https://user:password@mail.fsmpi.rwth-aachen.de/SOGo/....ics'
 ERROR_PAGE = 'static/500.html'
+RWTH_IP_RANGES = ['134.130.0.0/16', '137.226.0.0/16', '134.61.0.0/16', '192.35.229.0/24', '2a00:8a60::/32']
diff --git a/server.py b/server.py
index 3e5993ea0b593c7865da53d1fe65ad76f7ac3a36..35e41fbb14b1da5d53a0d466a05315bf26936e5c 100644
--- a/server.py
+++ b/server.py
@@ -142,6 +142,12 @@ def checkperm(perms, username=None, password=None):
 		elif perm['type'] == 'rwth':
 			if session.get('rwthintern', False):
 				return True
+			if 'X-Real-IP' not in request.headers:
+				continue
+			ip = ip_address(request.headers['X-Real-IP'])
+			for net in RWTH_IP_RANGES:
+				if ip in ip_network(net):
+					return True
 	return False
 
 @app.template_filter()
@@ -574,7 +580,6 @@ def auth(): # For use with nginx auth_request
 	if 'X-Original-Uri' not in request.headers:
 		return 'Internal Server Error', 500
 	url = request.headers['X-Original-Uri'].lstrip(config['VIDEOPREFIX'])
-	ip = request.headers.get('X-Real-IP', '')
 	if request.cookies.get('tracking', '') and request.cookies['tracking'].isdigit():
 		cookie = int(request.cookies['tracking'])
 	else: