-1

My office network provides internet access to my employees when they connect to it through the office's router. I want to make a web application in which only computers connected to the internet through my office router, can access. So that my employees have to be in my office area before they can login into the php web application.

If they are connected to the internet, but not through my office network they should not be able to log in to the application. (I know I could have deployed the php app in a local server setup in my office but I want the app to be on a remote server on the internet for my personal reason).

What hardware do i need to setup my office network and how do I make PHP detect the id of the hardware of my network so php can determine that a request is coming from my network.

halfer
  • 19,824
  • 17
  • 99
  • 186
fredy
  • 7
  • 2
  • 1
    If your ISP will give you a static IP address for your router, you can pick this up from the request and check it. It's not perfect but will stop most things. For the IP address bit - https://stackoverflow.com/questions/1634782/what-is-the-most-accurate-way-to-retrieve-a-users-correct-ip-address-in-php – Nigel Ren Nov 18 '18 at 07:24
  • Thanks. That would that be the external ip. Am I correct? – fredy Nov 18 '18 at 11:36
  • And some explanation on necessary network terminologies will be greatly appreciated. – fredy Nov 18 '18 at 11:39
  • how did you setup the php application? is it on premise (within the office network) or on public hosting (the internet)? – Bagus Tesa Nov 18 '18 at 12:02
  • Public hosting because i will need to connect to it from my house sometimes. So I need it to be available from anywhere, not just my office. – fredy Nov 18 '18 at 15:51

1 Answers1

0

Some options to recognise your private office from a public website:

IP address

This will only work if you know what IP address is in use at any given time by your allowed clients. In the case you use a NAT gateway, this has to be the outside address.

It becomes pretty easy to do this if you have static IP addresses for all your allowed clients, if they change, it quickly becomes a nightmare to keep them right at all times.

Security: since HTTP is based on TCP it's not trivial for other to get to use your IP address through spoofing, but it's by far not foolproof either. Consider it a poor-man solution at the very best.

Caveat: if any of your staff can get remotely to their machine, they can access it remote (so e.g. a time registration system is going to get circumvented by this quickly)

VPN

VPN stands for Virtual Private Network.

This is the goto solution from a security perspective. Essentially you build up tunnels between either individual clients or networks as a whole with the VPN server. On the central end of those tunnel(s), your webserver answers to web requests (but not to the internet at large).

There is a whole range of VPN products out there. There are equally relatively easy to build solutions using free software (e.g. OpenVPN). Things on how the client (network or computers) will authenticate to the server and what traffic is attracted to the VPN and much more are all possible parameters you can set.

Security: it depends a bit on the choices made, but unless unproven or outdated solutions are picked, this can be done "top notch". It is however in skill level probably just above your typical IT shop around the corner (but you might be in luck).

Same remark as above: your staff that can gain access to it, might be tunnelling into their machine at work or might use credentials and settings on an office machine at home as well.

DNS

reverse mapping of IP to names is far too easy to spoof, don't try this.

Login/Password

This is a relatively easy solution: allow access from anywhere, but give authorised users a login and password and let them have access after being logged in properly.

Security: It's non-trivial to get this fully secure, there's plenty of opportunity to make errors in how the application works so that it becomes a problem. But if you have to have a zero footprint on the clients, this is your best option. Add in 2 factor authentication to increase the password security and make passing on passwords a bit more difficult.

TL;DR

I'd setup an OpenVPN based VPN, they are relatively easy to setup, the clients exist for most OSes (take care not all: e.g. iOS: I don't know of one) and it'll give you more than average protection without you having to delve deeply into the details of encryption protocols and the like.

Still there's a learning curve, but there's plenty of tutorials out there that don't assume much prior knowledge either.

For your clients you setup a certificate-based authentication system using EasyRSA (included with OpenVPN). It's a bit of a habit you need to create, but once setup properly, adding and removing users becomes relatively painless.

On your server all you need to do is make sure the http server only binds to the IP address of the tunnel interface.

  • By time registration system you mean like a log/logout system? – fredy Nov 19 '18 at 07:11
  • @fredy: Just an example of anything where you the user has an incentive to fake where they are physically located. –  Nov 19 '18 at 16:08