2

I'm developing a web application using Laravel hosting on a public cloud. Now, the application can be accessed publicly on the internet via domain address. However, I want to restrict to only users who are connecting to the organization networks to be able to use the application since we do not want the application to be used at home or elsewhere.

At the moment, the organization has 2 places (2 public internet networks) where they must be able to access to the application. Both of them are using home-standard internet where IP address changes every time the internet reconnects. As we do not have static IP addresses, I cannot filter user by using IP address filter. The IP filter rule must be changed every time when the organization network reconnected.

My application already have solid authentication and authorization mechanism and, of course, the users must know this information since they must access the app for work. However, this doesn't meet the requirement.

I have thought about the VPN but it (probably) doesn't not work because if we allow user the access to the VPN, they still be able to access the VPN anywhere and use the application outside the work places. If we restrict the VPN client to access from specific IP address, then when the IP changes, the same problem occurs.

To sum up, I would like to ask for the advice on how to restrict the access of web application, hosted on public internet, to the users that are connecting from the public IP address that can change every time when the internet reconnected. The requirement may sound strange but it is as it is. Please feel free to ask for more details if you want to and have a discussions on the suggestions.

Thank you in advance.

spicydog
  • 1,644
  • 1
  • 17
  • 32

2 Answers2

1

You could setup a client for a dynamic dns service (e.g. dyndns) on the client-side.

Then you could use that on the server-side to always check against current IP using that dns.

As alternative you could bind the website to localhost only and only let it be accessed via an pubkey-enforced SSH tunnel (and make that get auto-established by a script/scheduler on the client side, on a permission level outside of the users' reach, so that they can't take the private key needed for the connection anywhere)

Jay
  • 3,640
  • 12
  • 17
  • The DDNS solution is interesting, maybe I can set it on my router, not on the client devices because it would change even when they use other networks, and check the IP of client on web application against the DDNS domain. I will try it soon. For the SSH tunnel maybe it is too complex. – spicydog Jun 28 '17 at 04:48
1

You can use different PHP methods and variables to detect from where the request has been originated. Just whitelist your domains and organizations, and allow only them by adding a middleware.

Additionally, you can generate a token using Laravel Passport or you can create your own mechanism, and then use that token to authenticate if the request is valid or not.

Since the IP changes, you can setup a dynamic dns or as suggested on the comment above.

Rishabh Aryal
  • 31
  • 4