So for my work i made a website to keep track of my to-do’s.
Now I want the website to be available only at my work.
How ever I noticed that I can access the site from home without a VPN.
This is clearly Security risk since I did not invest in any security on this website.
My question is how can I stop the website to be accessed outside of the work network without using a VPN.
I use a LAMP running on debian.
A couple of things:
Since it’s work, your work likely has a static IP.
So since you use LAMP (the ‘P’ being PHP I assume), there are many mechanisms in place for source IP whitelisting.
What you’d have to do is whitelist your local subnet, typically 192.168.1.0/24, and your work’s external IP address, and then this crude bit of security should prevent the robots. But that’s it.
Proper authentication or a VPN solution would be best.
However, I would refrain from posting any sensitive information on your to-do app. Just keep it generalized. I.E Talk to bob about the project, clean my desk, Go to meeting with Jim at 2, etc.
Lastly, I would double-check your work policy on data management/stewardship to ensure you will not get into any legal trouble by exposing work-related possibly sensitive information to the internet.
1 Like
Just configure whatever web server you are using to only serve requests from your work IP address. Something like this would work with Nginx, not sure on the Apache syntax:
allow 12.34.56.78;
deny all;
2 Likes
I agree with both the above, and yes you should be able to do that with Apache too (but its 30 years since I looked at the conf, so … read the conf).
Of the top of my head there is a way to “secure” access without doing anything else, but it requires your ToDo list web page being PHP generated.
Simply pass through a specific HTTP_REFERER to the URL, and check that first thing in your PHP, if its not a “match” exit; imediately (problem solved, no content)
with curl or wget thats easy, but from a browser its a bit tickier, and you’d want to test it anyway, either a static HTML page locally that contains a link to the ToDo List URL, or a local webserver serving said page with said link (I am just not sure if the browser will attach an HTTP_REFERER from a file:// url)
Alternatively you can always (force) authentication for the server/url
Thank for the reactions. For some extra info the web site is indeed php code with html css and a little bit of java script.
I want the website to be only accessible to the internal network because the website is not made with the company template. And I do not want to be the one that needs to tell them that hackers came into the network via my site.
Lastly I do not know which files to edit or which commands to enter. could you tell me which search parameters i can enter to look for a guide.
Check out this link
You can either use a .htaccess or directly from the path itself in your apache host config.
1 Like