3

I know this may be very basic, but I have a website on my server that I would only like to be accessed by VPN. I have OpenVPN running on my Windows machine and it is connecting to my server with the VPN. When the VPN connects I can use the VPN's IP address to hit the site on my server. I would like to block all other methods such as the actual site IP or my domain name. Would I use htaccess? What is normally done for private access only.

Craig Tucker
  • 1,051
  • 1
  • 11
  • 27

1 Answers1

3

Let's say that your server vpn ip is 10.1.2.3 then you should add to your apache configuration

Listen 10.1.2.3:80

so that you will bind Apache - i.e. will accept incoming requests - only to that address.

Also:

The Listen directive does not implement Virtual Hosts - it only tells the main server what addresses and ports to listen on. If no directives are used, the server will behave in the same way for all accepted requests. However, can be used to specify a different behavior for one or more of the addresses or ports. To implement a VirtualHost, the server must first be told to listen to the address and port to be used. Then a section should be created for the specified address and port to set the behavior of this virtual host. Note that if the is set for an address and port that the server is not listening to, it cannot be accessed.

i.e. you could leave the original listen directive (listen to all interfaces) and filter the access per virtual host having your "private" virtual host configured like that:

<VirtualHost 10.1.2.3:80>

see http://httpd.apache.org/docs/2.4/bind.html

Finally if for some reason you are restricted to .htaccess only, then you could do in .htaccess:

Order Deny,Allow
Deny from all
Allow from 10.1.2.1/24

i.e. allowing access only from your vpn subnet.

Take care that you will need to restart the web server after every change.

Ioannis Lalopoulos
  • 1,491
  • 1
  • 12
  • 20
  • Thankyou. I tried the virtual host method and for some reason it was not excluding even after restarting the server. I used the .htaccess method and that worked. Is there any risk with this. Is it less secure? – Craig Tucker Feb 16 '16 at 09:38
  • @CraigTucker It should be fine, however .htaccess are to be avoided due to performance downgrade and because you don't have a centralized management of them and you could in some cases turn them off accidentaly (for the last one see http://www.acunetix.com/blog/articles/htaccess-security/) – Ioannis Lalopoulos Feb 16 '16 at 09:51