WelcomeUser Guide
ToSPrivacyCanary
DonateBugsLicense

©2026 Poal.co

487

I'm trying to create a web page that's only accessible by the local lan. I've been able to do this, but I'd like to provide an error page for those who hit it from outside the local lan, as the server also provides access to resources for those outside the local network. This is what I have:

Alias /in "/var/www/inside" <Directory /var/www/inside/> ErrorDocument 403 /var/www/403/index.html Require ip 192.168.1 </Directory>

This works, but because it's being denied to everything except local lan, the error document handling returns an error that states it can't handle the request because of the require IP directive:

Forbidden

You don't have permission to access this resource.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

Is there a way to have apache handle the error gracefully and direct the user to an error page? I don't want people outside the lan realizing there's some restricted access page there, it's just going to redirect to an image.

edit: solved: https://poal.co/s/AskPoal/575563/8809541a-27d3-49c4-895b-190f5b66f403#cmnts

I'm trying to create a web page that's only accessible by the local lan. I've been able to do this, but I'd like to provide an error page for those who hit it from outside the local lan, as the server also provides access to resources for those outside the local network. This is what I have: >Alias /in "/var/www/inside" ><Directory /var/www/inside/> >ErrorDocument 403 /var/www/403/index.html >Require ip 192.168.1 ></Directory> This works, but because it's being denied to everything except local lan, the error document handling returns an error that states it can't handle the request because of the require IP directive: >Forbidden > >You don't have permission to access this resource. > >Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request. Is there a way to have apache handle the error gracefully and direct the user to an error page? I don't want people outside the lan realizing there's some restricted access page there, it's just going to redirect to an image. edit: solved: https://poal.co/s/AskPoal/575563/8809541a-27d3-49c4-895b-190f5b66f403#cmnts

(post is archived)

[–] 1 pt

I believe your best option is not try to do all with the same website (virtualhost). Create 2 separate websites, and use the IP binding command to link one website to the local:

<VirtualHost 192.168.1.10:80>

Then create another virtualhost for the public site:

<VirtualHost 205.11.22.33:80>

Hope this helps, if not please let me know.

[–] 0 pt (edited )

I did try that, using the FQDN and the internal LAN address. It broke stuff. I think, however, you're talking about multiple daemons, which I can't do really due to lack of multiple external IP addresses.

I did try multiple virtualhosts inside the 000-sites-enabled.conf:

In this case, it's not possible due to serving on *:443 and *:80, which overrides any FQDN:PORT virtualhost instance later on in the config. Ordinarily I'd do it on :80 and not open that to the world, but the way the system is set up here, some things need to see an HTTP address to know they're authorized to do their work, as well as receiving codes every now and then. I know that's not the best way to do it these days, but when you work with legacy shit that's the way it is. I don't care that you might see "FQDN/docuroot/enterprise/transporterroom/button/code/YJ8MOP998S1

The original thing I tried worked, that of a "require ip 1.2.3.4" directive, but if you tried to access that directory outside of the LAN it gave Apache's Forbidden screen, which I don't want. Since you can't serve anything, even an error page, when you're forbidden, it didn't do what I needed.

What I really need to dig into is to see if there's an IF methodology. I know there's some basic logic Apache can do, but I haven't reached that stage yet.

[–] 1 pt

Maybe modrewrite could help you? Check this link:

https://httpd.apache.org/docs/trunk/rewrite/access.html

Specially the blocking of bots part, hope this helps!

[–] 0 pt

That's not really what I need, it's kind of a different use case. However, I decided to grab the "Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request." portion of the error and found this:

https://stackoverflow.com/questions/47747483/htaccess-403-forbidden-error-was-encountered-while-trying-to-use-an-errordocumen

After enabling the rewrite mod and adding the .htaccess as described, I can now hit the desired site internally (using the FQDN since the router hairpins) but it gets rejected with an error page outside the network. What a pain in the ass.

[–] 1 pt
[–] 0 pt

Kind of but not really. That's good if you're taking an an entire site down and only want a few IP addresses through, I need to let the Internet at large through to the main site while blocking it to the local site. It works with a simple require ip directive, but there doesn't appear to be a way to let that directive work AND let the error handlers work because the error handlers are blocked by the require directive. The reason I want an error handler is simple obscurity - it takes a bit more work to determine if there's a site there, and casual script kiddies will probably ignore it. Otherwise, you get the apache Forbidden screen, and that's a tipoff there's something there you're not supposed to see.

I think I have a solution, although it's not as elegant. There's another server that is accessed with a port number, but there's nothing on the *:80 service. I can put it there, but users won't be able to go to "https://example.com/internalsite", they'll have to go to "http://192.168.1.100" instead. It works, I guess.

[–] 0 pt

Place the website on an inernal address and manually add the A record to the local DNS.

[–] 0 pt

That doesn't work because deny all with the require ip directive denies everything, including error pages. I found the solution which required an .htaccess file, which is read before the 000-default is processed. It's posted in another conversation under this topic.

[–] 0 pt

I'd do this in code and probably base this off a secret.. Cookie or something like that. Folks with the right cookie/ip address continues to use the site ; others get a webpage that returns a 403 with a nice fuck off message