...
If you want to restrict access to a service to only on-campus / VPN users with a handy error page. The CheckVPN service https://checkvpn.uwaterloo.ca has a callback that keeps the request prams. It can be used with the following configurations:
APACHE2
| Code Block | ||
|---|---|---|
| ||
<Location />
RewriteEngine On
RewriteCond expr "!(-R '127.0.0.0/8' || -R '10.0.0.0/8' || -R '172.16.0.0/12')"
RewriteCond expr "!(-R '129.97.0.0/16' || -R '192.168.0.0/16')"
# TODO: ipv6 rules
RewriteRule ^(.*) https://checkvpn.uwaterloo.ca/?callback=https://{{vars.server_name}}%{REQUEST_URI} [R]
...
</Location> |
NGINX
| Code Block |
|---|
geo $is_local_uw_ip {
default no;
127.0.0.0/8 yes;
10.0.0.0/8 yes;
172.16.0.0/12 yes;
192.168.0.0/16 yes;
129.97.0.0/16 yes;
# TODO: test ipv6 mapping!.
2620:101:F000::/47;
2620:101:f000:700::/56;
fd74:6b6a:8eca:504::/64;
}
server {
...
location / {
if ($is_local_uw_ip = no) {
return 307 https://checkvpn.uwaterloo.ca/?callback=https://{{vars.server_name}}$request_uri;
# NOTE: nginx does not have a good way to encode_url for the callback
# SO: A request like .. ?callback=https://me.com/?x=1&y=2
# will drop y=2 from the callback!
}
}
} |
CADDY
In Caddy you can define a importable “block” in your CaddyFile to re-use in other parts of your configuration. The following creates a re-usable directive called “redirect_off_campus”, then uses it in a site configuration:
...