I am running an Apache 2.4 on Debian Bullseye on a LAN behind a DSL router with dynamic IPv4 and IPv6 addresses. My Webserver works as a TLS endpoint and serves a variety of pages. Some of these pages must be accessible to the wide internet, while other pages should be available on my local LAN only. Access from the internet works, but I'm struggling with getting the LAN-only pages to work. I have the following in my Apache configuration:
<Location /localonlystuff>
Require local
Require ip 192.168.0.0/24
</Location>
This allows access from the local host (OK), from all hosts on my LAN segment using IPv4 (private network 192.168.0.0/24) and denies any access from the internet. However, it does not allow access from hosts on my LAN segment using IPv6. As there is no IPv6 range permitted here, Apache denies them access.
In theory, I could simply add Require ip 1234:5678:9012:3456::/64
to the file shown above. However, my IPv6 range is assigned dynamically by my ISP and changes every 24h, so a static entry won't be correct for long. I have considered permitting fe80::
, but DNS resolution on my network points to the prefixes provided by the ISP, not to link-local addresses.
I have read the documentation about mod_authz_host and seen the section on Require host
. This would probably achieve what I want (my Router does setup a local domain with reverse lookup), but I'm afraid that this method will be subject to things like DNS Cache poisoning or spoofing attacks, lettings outsiders into my network. I would prefer a solution local to my server machine, where I say the equivalent of Require interface lan0
to permit all clients on network ranges configured on lan0
at the time of the request - similar to the way you can make Apache listen to all IP addresses on a given interface. However, I have not found any documentation to this end.
Is there a way to achieve this functionality (permit only hosts from the local IPv6 network), perhaps with means other than mod_authn_host?
I'm also open to suggestions other than relying on authentication. I can widely mess around with the configuration of my Apache, but I can hardly do any configuration change to my router. Please also consider that I only have a single SSL virutal_host running a Let's Encrypt certificate.