CheckVPN

If you want to restrict access to a service to only on-campus / VPN users with a handy error page. The CheckVPN service https://checkvpn.uwaterloo.ca has a callback that keeps the request prams. It can be used with the following configurations:

APACHE2

<Location />
    RewriteEngine On
    RewriteCond expr "!(-R '127.0.0.0/8' || -R '10.0.0.0/8' || -R '172.16.0.0/12')"
    RewriteCond expr "!(-R '129.97.0.0/16' || -R '192.168.0.0/16')"
    # TODO: ipv6 rules
    RewriteRule ^(.*) https://checkvpn.uwaterloo.ca/?callback=https://{{vars.server_name}}%{REQUEST_URI} [R]
    ...
 </Location>

NGINX

geo $is_local_uw_ip {
    default no;
    127.0.0.0/8 yes;
    10.0.0.0/8 yes;
    172.16.0.0/12 yes;
    192.168.0.0/16 yes;
    129.97.0.0/16 yes;
    # TODO: test ipv6 mapping!.
    2620:101:F000::/47;
    2620:101:f000:700::/56;
    fd74:6b6a:8eca:504::/64;
}
server {
    ...
    location / {
        if ($is_local_uw_ip = no) {
            return 307 https://checkvpn.uwaterloo.ca/?callback=https://{{vars.server_name}}$request_uri;
            # NOTE: nginx does not have a good way to encode_url for the callback
            # SO: A request like .. ?callback=https://me.com/?x=1&y=2
            # will drop y=2 from the callback!
        }
    }
}

CADDY

In Caddy you can define a importable “block” in your CaddyFile to re-use in other parts of your configuration. The following creates a re-usable directive called “redirect_off_campus”, then uses it in a site configuration:

(redirect_off_campus) {
    @external not remote_ip \
    127.0.0.0/8 \
    10.0.0.0/8 \
    172.16.0.0/12 \
    192.168.0.0/16 \
    129.97.0.0/16 \
    2620:101:F000::/47 \
    2620:101:f000:700::/56 \
    fd74:6b6a:8eca:504::/64
    redir @external https://checkvpn.uwaterloo.ca/?callback={scheme}://{host}{uri} 307
}

cool-service.uwaterloo.ca {
    import redirect_off_campus
    reverse_proxy localhost:8000
}