Restricting a Website to On-Campus Access Only

Drupal Version

You can restrict your site so that only people who are on-campus (or using the VPN) can access it. This is a great idea for internal-use-only sites and also for all of your development/test websites if you are not using a local stack.

Using .htaccess Configuration

Here's the code to put into the .htaccess file in the root directory of your site (on OIT Web Hosting, this goes under httpdocs or httpsdocs usually):

RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^130.207.
RewriteCond %{REMOTE_ADDR} !^128.61.
RewriteCond %{REMOTE_ADDR} !^143.215.
RewriteCond %{REMOTE_ADDR} !^192.93.8.
RewriteCond %{REMOTE_ADDR} !^10.
RewriteCond expr "! -R ''"
RewriteCond expr "! -R ''"
RewriteCond %{REQUEST_URI} !/vpn-message.html
RewriteRule ^.* /vpn-message.html [R=303,L]

The first three lines cover the main Atlanta campus, while the fourth line (192.93.8.) covers GT Lorraine in France, and the last 3 private campus IP space.  The last RewriteCond line is needed to whitelist your message to off-campus users - otherwise they'll end up in an infinite redirect loop.  Also note the 303 redirect status on the last line: this tells the browser to check back with the server and not cache the redirect.  If you use 301 instead, then a user who connects from off-campus and gets your message file will continue to get it even if they then connect to the VPN.  Using 303 ensures that they'll actually get to your site once they've logged into the VPN.

The method above will direct all outside users to /message.html on your site, where you can post a message about the site being for on-campus use only. An alternate method (shown below) will just give users a 403 Forbidden error, which might be good enough in many cases.

Alternate Method with Basic Apache HTTPD Configuration

The following may be a little easier to maintain than the as the campus network expands and evolves than the version above, but this version will simply give the off-campus user a standard 403 Access Denied error message without any further explanation.

For Apache 2.4 .htaccess

Require all denied
## All Atlanta Campus & VPNs
Require ip
Require ip
Require ip
Require ip
Require ip
Require ip
## GT Lorraine
Require ip

Using a Firewall

If your website is not on OIT Web Hosting, then you can also limit access through firewalls:

Software Firewall

This kind of firewall you have to set up and maintain yourself, so you need to have some basic networking knowledge to get it configured correctly.  On the other hand, you can reconfigure it yourself whenever necessary.  On UNIX style systems (Linux, Mac OS X, etc.), you can use either  ipfilters or ipfw.  On Windows servers, Microsoft provides its own firewalling tools - check your Windows server documentation for more information.

Hardware Firewall

This kind of configuration has to be done via the GT Networking Firewall web application by someone authorized to make changes to the subnet that your server lives on.  The upside to this option is that you don't have to know anything about networking, and you don't have to worry about your firewall breaking when you run upgrades on your server's operating system.  The downside is that if you don't have access to mange the firewall for your subnet then you'll have to send your requests for changes up to whomever manages your subnet.