Restricting a Website to On-Campus Access Only

Drupal Version
Tags

You can restrict your site so that only people who are on-campus (or using the VPN) can access it. This is a great idea for internal-use-only sites and also for all of your development/test websites if you are not using a local stack.

Using .htaccess Configuration

Here's the code to put into the .htaccess file in the root directory of your site (on OIT Web Hosting, this goes under httpdocs or httpsdocs usually):

RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^130.207.
RewriteCond %{REMOTE_ADDR} !^128.61.
RewriteCond %{REMOTE_ADDR} !^143.215.
RewriteCond %{REMOTE_ADDR} !^192.93.8.
RewriteCond %{REMOTE_ADDR} !^10.
RewriteCond expr "! -R '172.16.0.0/12'"
RewriteCond %{REQUEST_URI} !/vpn-message.html
RewriteRule ^.* /vpn-message.html [R=303,L]

The first three lines cover the main Atlanta campus, while the fourth line (192.93.8.) covers GT Lorraine in France, and the last 2 private VPN IP space.  The last RewriteCond line is needed to whitelist your message to off-campus users - otherwise they'll end up in an infinite redirect loop.  Also note the 303 redirect status on the last line: this tells the browser to check back with the server and not cache the redirect.  If you use 301 instead, then a user who connects from off-campus and gets your message file will continue to get it even if they then connect to the VPN.  Using 301 ensures that they'll actually get to your site once they've logged into the VPN.

The method above will direct all outside users to /message.html on your site, where you can post a message about the site being for on-campus use only. An alternate method (shown below) will just give users a 403 Forbidden error, which might be good enough in many cases.

For Apache 2.2 .htaccess

Order deny,allow
Deny from all
## All Atlanta Campus & VPNs
Allow from 130.207.0.0/16
Allow from 128.61.0.0/16
Allow from 143.215.0.0/16
Allow from 10.0.0.0/8
Allow from 172.16.0.0/12
## GT Lorraine
Allow from 192.93.8.0/24

For Apache 2.4 .htaccess

Require all denied
## All Atlanta Campus & VPNs
Require ip 130.207.0.0/16
Require ip 128.61.0.0/16
Require ip 143.215.0.0/16
Require ip 10.0.0.0/8
Require ip 172.16.0.0/12
## GT Lorraine
Require ip 192.93.8.0/24

Using a Firewall

If your website is not on OIT Web Hosting, then you can also limit access through firewalls:

Software Firewall

This kind of firewall you have to set up and maintain yourself, so you need to have some basic networking knowledge to get it configured correctly.  On the other hand, you can reconfigure it yourself whenever necessary.  On UNIX style systems (Linux, Mac OS X, etc.), you can use either  ipfilters or ipfw.  On Windows servers, Microsoft provides its own firewalling tools - check your Windows server documentation for more information.

Hardware Firewall

This kind of configuration has to be done via the GT Networking Firewall web application by someone authorized to make changes to the subnet that your server lives on.  The upside to this option is that you don't have to know anything about networking, and you don't have to worry about your firewall breaking when you run upgrades on your server's operating system.  The downside is that if you don't have access to mange the firewall for your subnet then you'll have to send your requests for changes up to whomever manages your subnet.