Good morning everyone,

So I have come across an interesting request that I have never dealt with and was wondering what everyone kind of thought of where I should take it.

A company I have been working with is updating their website. The company uses VPN internally already, what they were inquiring about was making a staff section of their website which can only be accessed when they have their VPNs enabled (not having the VPN connected would produce an error page so anybody not connected wouldnt have access to even the login page let alone the rest of the directory). I am thinking this probably could be achieved through messing with php and possibily .htaccess. Has anyone ever dealt with a request like this? Do you believe I am on the right page with it? Is it even possible?

If you're connected to VPN you should be using the company's gateway, and thus have it's outgoing IP. An IP block is something you can do with an .htaccess, but it can be easily spoofed.

So what is the best way to ensure only that outgoing IP is accepted?

Filtering is generally addressed at the application, server, or network layer. In this case, since you are trying to restrict a portion of an application, while it can be done at the network layer say with a layer 4-7 capable firewall, its most likely going to be a lot easier to deal with at the application this case the PHP web app.

Yes, while IPs can be spoofed, that concern is generally with malware. A legitimate user trying to access a target web page cannot spoof their address because the return packets in the communication process would not make their way back to the user's computer.

I would assume that in your .htaccess file, you'd create a rule to block all traffic except from the IP range of your VPN users and apply that rule only to the target directory.