• 2022
  • Sep
  • 25

Didn’t make it to the Findlay radio show…

The day wasn’t looking promising. While it didn’t rain up there, the overall mood of the show was somewhat depressed as the threat of weather kept people away. I was told by a person that did attend that the show was still decent. So perhaps next year.

I did manage to make it to an antique engine show the day before, and will post those pictures soon. The next, and probably last radio show that I’ll try and attend this year is in Fort Wayne. Stay tuned for that information!

  • 2022
  • Sep
  • 22

Allow access to a webpage only if inside the LAN?

Recently, I found that I’d like to set up some kind of internal dashboard for systems running inside the LAN. I wanted it to have easy access, and not require you to remember a new address or have to use a special port - it should just automatically resolve with the main website address while inside the LAN and deny you access outside the LAN. Sounds easy, and it is - sort of.

I’m using the Apache webserver, and it has the ability to deny service to you based on the calling IP address. It’s as simple as telling the server what directory you’d like to use, and requiring an IP. I came up with this:

<Virtualhost *:443>
	(the external website materials)

	Alias /inside "/var/www/inside"
		<Directory /var/www/inside
			ErrorDocument 403 /var/www/errordocs/denied.html
			Require ip 192.168.1
		</Directory>

...

</Virtualhost>

Note that you only need to provide the portion of the IP address that you wish to match exactly. In my case, providing 192.168.1 indicates that I’d like to match the entire /24 subnet. (192.168.1.1 - 192.168.1.254)

That worked - sort of. I was able to hit the website from inside the LAN with no issue. Outside the LAN, it denied me access but threw this error:

Forbidden
You don’t have permission to access this resource.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

That’s not what I wanted.The error document was (in the interests of obfusticating the issue) the same as the 404 page (with a slight modification that hopefully wouldn’t be noticed unless you looked for it) to hide the issue from outside parties that may be hitting the website looking for entry points. I know that’s bad practice, but this is a limited access site whose users know what to look for. The error message I received tells the world what the problem is, and even though I turn identification of the server off, probably tells you what I’m running. That won’t work.

The problem here is the Require ip 192.168.1 acts like a “Deny All” when the condition is not met - it even denies the error document regardless of it’s location. I wasn’t really sure how to get over this issue, but doing research revealed that .htaccess files are parsed as soon as the directory is hit, regardless of what else is set in the main configuration file. This isn’t necessarily bad practice, but it’s not best practices. You should strive to keep everything in the main config.

So what is an .htaccess file? Simply put, it’s requirements for the local directory. If you have a directory on your webserver that has a particular access requirement that the rest of the server doesn’t need, you put it here. My case, I was simply going to use it for error documents.

What’s the first thing you do? Find a guide. Someone already answered this question: https://stackoverflo … -use-an-errordocumen. So, following this guide, I did this:

Create .htaccess files in both my webserver root directory and the errordocs directory. In the root directory file goes the error handlers for the webserver:

ErrorDocument 404 /errordocs/nopage.html
ErrorDocument 403 /errordocs/denied.html

Nothing else. In the errordocs file goes a simple directive:

allow from all

This does exactly what it says, and allows from all without restriction. This can be dangerous, so don’t put anything in this directory that you don’t want the world to see!

Some permissions need to be set now:

/var/www/errordocs 		=> 755
/var/www/errordocs/.htaccess 	=> 640
/var/www/errordocs/nopage.html 	=> 644
/var/www/errordocs/denied.html 	=> 644

These permissions are pretty loose, so again: be careful. Put only the things necessary for the error handlers into these directories and files. One last step is to tell the server that you want to use these .htaccess files, otherwise it ignores them. This is part of the rewrite module https://httpd.apache … mod/mod_rewrite.html built in to Apache, so enable that and restart the server.

sudo a2enmod rewrite
sudo systemctl restart apache2

With the server restarted, you should be able to hit your webpage in /var/www/inside with a local IP address, and get an error message when you’re outside the LAN. Alternately, you could redirect, but that’s an entirely different game since you’ve already denied access.

I suspect this is probably obvious to those reading this, but I’ll point it out anyway. This only works if you’re serving pages from inside your own personal LAN. It’s not going to work if you’re using a remote hosting service or if the server is somewhere that can’t see your local IP. Of course, you can always set a particular address as a requirement, but in this case it’s best to make sure you’re not going to get locked out of your own services by a dynamic address change…