0

I'm operating a webapp that should be accessible only to a small number of people equipped with tablets. It is served on port 80 of a server that is on our local network behind the ISP router.

The question is : how can I ensure access to authorized user without any other user being able to access it ? Non authorized users should end with a connection reset as if port was not open.

I thought of opening a port on the router, redirecting it to the server and securing it with a certificate but is that even possible ?

Another solution could be installing a VPN but it may be too difficult to manage for some users.

Biologeek
  • 101
  • 2

2 Answers2

1

There are many ways to go about this, but the right one depends on what other security mechanisms you have in place. Examples:

  • Client certificates. This is very possible, except you want to use port 80, which is typically unencrypted. You would need to reconfigure your web server or put a proxy in front of it, but this is certainly possible. Doing it with Apache is described here, https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#allclients
  • Filter by IP or MAC address at the network level, i.e. in the firewall.
  • Use a VPN as you mentioned. This can be made reasonably transparent for users.
  • Check for an authentication header on the web server, or on a proxy in front of it.

There's undoubtedly more. Some of them are not suitable unless you have additional authentication methods in place, e.g. MAC addresses are easily spoofed. Other options become available if you relax the requirement for the network port to appear closed, because many authentication methods do not operate until the port is opened.

tater
  • 1,445
  • 2
  • 10
  • 12
  • Is user's MAC address sent in HTTP/HTTPS requests when he's out of local network ? This could be a good solution as we know every device address – Biologeek Dec 17 '20 at 08:01
  • No, typically MAC is not transmitted outside the local network. For iptables, you'd need to use IP address in that case. In any event, once you establish a connection to check HTTP requests, you can no longer make it seem like the port is not open. That requirement is particularly challenging. It can be done using packet inspection, but it makes things more challenging. – tater Dec 17 '20 at 10:36
  • Is there a way to authenticate the caller stronger ? Like he wouldn't even be able to access the server if he does not have the correct certificate (forged specifically for our company) – Biologeek Dec 22 '20 at 15:08
  • If you think of a certificate as a physical key, this is like saying "I don't want people with the wrong key to insert anything into the lock". How do you know the key is right or wrong until it is in the lock? To check a certificate, the server must read it from the client. To read it from the client, a connection must be established. Once a connection is established, you can't go back in time and make it seem like it was never established - the best you can do is terminate it if the certificate is invalid. Consider dropping this requirement and using certificates in the normal way. – tater Dec 22 '20 at 21:05
0

Your question is somehow generic. You can do one or more of the following:

  1. Require a valid username/password to access your web app. This can be done at application level or at web server level (ex: apache2).
  2. Protect the access to this IP/port by configuring a firewall. Only specific IPs are allowed. Others are denied. This requires you to get list of your users' IPs.
  3. Redirect users from http (port 80) to https (port 443) to protect against attacks like man-in-the-middle attack.
  4. Keep the server access private and tunnel your users traffic to your network (one of VPN solutions requiring authentication).
Khaled
  • 36,533
  • 8
  • 72
  • 99
  • 5. Authenticate via client certificate – Gerald Schneider Dec 14 '20 at 10:48
  • Thanks @Khaled, the app has a username/password mechanism but I'm not confident in the users password strength. Filtering via MAC address seems to be a better solution than IP filtering as it may regularly change on user device. – Biologeek Dec 14 '20 at 12:57