I have the application on two servers, the first on the DMZ, the second on the LAN. They both use the same database, file synchronization etc. In DMZ I have to remove the admin panel. The removal is too invasive, making future updates difficult.

I wrote a plugin that executes for the beforeControllerAction event and throws a CHttpException (404, "...") when the condition is true: "admin" == $this->event->get("controller") (additionally checks if this is the DMZ).

Will it be a complete solution to deny panel access?

In 3. X near ,
In 4.X : there are more controller and some are not inside admin controller : github.com/LimeSurvey/LimeSurvey/tree/ma...lication/controllers .

BUT : in my opinion : disabling Authentication only must be OK.

Else : maybe you can enable clearly public controller (and plugins if you need direct event)

How to disable only authentication via a plugin?

Can this be done from a config file (no plugin)?

wrote:

How to disable only authentication via a plugin?

Send a 401 with controller is admin and subaction is authentication : you do more when testing controller is admin : then : it's OK, no need more (in my opinion)
OR : use an authentication event : www.limesurvey.org/manual/Authentication...lopment#newLoginForm

wrote:

Can this be done from a config file (no plugin)? 

No …
But in your plugin you can check config (App()->getConfig("isOut") )