- 2022
- Sep
- 22
Allow access to a webpage only if inside the LAN?
Recently, I found that I’d like to set up some kind of internal dashboard for systems running inside the LAN. I wanted it to have easy access, and not require you to remember a new address or have to use a special port - it should just automatically resolve with the main website address while inside the LAN and deny you access outside the LAN. Sounds easy, and it is - sort of.
I’m using the Apache webserver, and it has the ability to deny service to you based on the calling IP address. It’s as simple as telling the server what directory you’d like to use, and requiring an IP. I came up with this:
<Virtualhost *:443> (the external website materials) Alias /inside "/var/www/inside" <Directory /var/www/inside ErrorDocument 403 /var/www/errordocs/denied.html Require ip 192.168.1 </Directory> ... </Virtualhost>
Note that you only need to provide the portion of the IP address that you wish to match exactly. In my case, providing 192.168.1 indicates that I’d like to match the entire /24 subnet. (192.168.1.1 - 192.168.1.254)
That worked - sort of. I was able to hit the website from inside the LAN with no issue. Outside the LAN, it denied me access but threw this error:
Forbidden
You don’t have permission to access this resource.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
That’s not what I wanted.The error document was (in the interests of obfusticating the issue) the same as the 404 page (with a slight modification that hopefully wouldn’t be noticed unless you looked for it) to hide the issue from outside parties that may be hitting the website looking for entry points. I know that’s bad practice, but this is a limited access site whose users know what to look for. The error message I received tells the world what the problem is, and even though I turn identification of the server off, probably tells you what I’m running. That won’t work.
The problem here is the Require ip 192.168.1 acts like a “Deny All” when the condition is not met - it even denies the error document regardless of it’s location. I wasn’t really sure how to get over this issue, but doing research revealed that .htaccess files are parsed as soon as the directory is hit, regardless of what else is set in the main configuration file. This isn’t necessarily bad practice, but it’s not best practices. You should strive to keep everything in the main config.
So what is an .htaccess file? Simply put, it’s requirements for the local directory. If you have a directory on your webserver that has a particular access requirement that the rest of the server doesn’t need, you put it here. My case, I was simply going to use it for error documents.
What’s the first thing you do? Find a guide. Someone already answered this question: https://stackoverflo … -use-an-errordocumen. So, following this guide, I did this:
Create .htaccess files in both my webserver root directory and the errordocs directory. In the root directory file goes the error handlers for the webserver:
ErrorDocument 404 /errordocs/nopage.html ErrorDocument 403 /errordocs/denied.html
Nothing else. In the errordocs file goes a simple directive:
allow from all
This does exactly what it says, and allows from all without restriction. This can be dangerous, so don’t put anything in this directory that you don’t want the world to see!
Some permissions need to be set now:
/var/www/errordocs => 755 /var/www/errordocs/.htaccess => 640 /var/www/errordocs/nopage.html => 644 /var/www/errordocs/denied.html => 644
These permissions are pretty loose, so again: be careful. Put only the things necessary for the error handlers into these directories and files. One last step is to tell the server that you want to use these .htaccess files, otherwise it ignores them. This is part of the rewrite module https://httpd.apache … mod/mod_rewrite.html built in to Apache, so enable that and restart the server.
sudo a2enmod rewrite sudo systemctl restart apache2
With the server restarted, you should be able to hit your webpage in /var/www/inside with a local IP address, and get an error message when you’re outside the LAN. Alternately, you could redirect, but that’s an entirely different game since you’ve already denied access.
I suspect this is probably obvious to those reading this, but I’ll point it out anyway. This only works if you’re serving pages from inside your own personal LAN. It’s not going to work if you’re using a remote hosting service or if the server is somewhere that can’t see your local IP. Of course, you can always set a particular address as a requirement, but in this case it’s best to make sure you’re not going to get locked out of your own services by a dynamic address change…