Sub domain / Website Access

Discussion in 'Installation/Configuration' started by abintipl, Jul 24, 2021.

  1. abintipl

    abintipl Member

    Hi,

    I have a running Ispconfig VPS Server with Debian 10 and have hosted my website.

    I also have a sub-domain, crm.mydomian.com & have hosted a web-based application in PHP on this sub-domain.
    My office people connect to this CRM. Now we want to allow access ONLY to authorized staff through a VPN connection( Already OpenVPN Server is installed).

    I would request if someone can help me to guide how to set up an environment so that office/field staff can ONLY access applications remotely using a VPN connection.

    Please guide

    Thanks in advance

    Regards,

    Abin
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You can use ip based restrictions on that vhost to limit access to the ip addresses of your VPN address pool. The are examples you can find searching the forums here, just be sure you are looking at instructions for your web server (apache or nginx).
     
    abintipl likes this.
  3. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    Does Debian have UFW, I have it on Ubuntu and it's Debian based. If so then you just need a couple of rules.

    Code:
    sudo -s
    Code:
    ufw status
    if inactive
    Code:
    ufw enable
    permit anybody with 10.1.x.x ip address
    Code:
    ufw allow from 10.1.0.0/16
    permit anybody with 10.1.1.x ip address
    Code:
    ufw allow from 10.1.1.0/24
    Deny everybody else
    Code:
    ufw default deny incoming
    The order matters, if you need to add rules later:
    ufw status numbered
    ufw insert <number> allow/deny from w.x.y.z

    Adjust it to fit your needs, The rule of thumb, the smaller the CIDR notation used, the more usable ip addresses as follow:
    /32 = 1
    /24 = 254
    /16 = 65,534
    /8 = 16,777,214
    I didn't know the available ip's off the top of my head, here is the link to the page its extracted from and some useful networking info. https://www.freecodecamp.org/news/s...and-other-ip-address-cidr-network-references/

    Either way, firewall rules are what you need. If i have misunderstood your needs please clarify.
     
    abintipl likes this.
  4. abintipl

    abintipl Member

    Dear Sir,

    Thank you for the reply.

    My server is on Apache

    I have searched the forum also & tried as instructed on this thread https://www.howtoforge.com/community/threads/website-restriction.86975/

    It works!

    But, I am looking to add a port number at the end to the sub-domain (crm.mydomain.com: port number) like we access ispconfig https:// Ip address followed by:8080

    Please guide how to bind a particular sub-domain or domain or IP address followed by a port number

    Thx!
     
  5. abintipl

    abintipl Member

    Dear Sir,
    Thank you for the reply.

    I will study first the article suggested by you & try to understand

    Just a quick question, what does the IP address means "10.1.x.x ip address" ?
    Does it mean 10.1.0.0 or 10.1.0.1 or 10.1.1.0 followed by my server IP address to be used in the commands mentioned in your post about ufw

    Regards,
     
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    It means IP Address of the form 10.1.x.x where x is replaced with number betweeen 0 and 255.
    Those are Private Address Space IP-numbers defined in RFC 1918. I guess the author uses them in his/her intranet.
     
    abintipl likes this.
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Yes, ufw is available on debian, and the only current firewall supported by ISPConfig (the old bastille script included with ISPConfig doesn't support IPv6 and creates an inferior firewall in numerous ways).

    IP based firewall rules would be an excellent choice if access to the entire server should be restricted. (I had in mind restricting access to only the crm vhost, which would require apache config, but if you can limit in the firewall, do that instead - or both.)
     

Share This Page