Home / server / Questions / 1152082
Accepted
Django Reinhardt
Asked: 2024-01-23 21:11:34 +0800 CST

Running a website on a LAN only

  • 772

This is a big question, so I'm only looking for a high-level overview answer to help me research the bits I don't know.

Essentially the problem is this: I need to take a dedicated Mac Mini (or similar macOS machine) and use it to host a website that's only accessible to those on the same local network.

My first instinct was to buy a domain (and certificate) and point it to a local address (eg. 10.10.10.152) that I know my server will be located at. So that way anyone trying to access that domain will be redirected locally to my website if they're on the right network.

Will this work? If so, what are the major steps in taking a domain, installing a certificate, and pointing it to a local IP?

php

3 Answers

  1. Best Answer

    buy a domain (and certificate) and point it to a local address (eg. 10.10.10.152) that I know my server will be located at. So that way anyone trying to access that domain will be redirected locally to my website if they're on the right network.

    That would work, but there's absolutely no necessity to buy anything.

    You can set up local DNS for e.g. service.example.org (if you own example.org), or service.lan without a domain of your own. Point the A record to your private web server.

    If you require HTTPS (TLS), you can either self-sign a certificate and explicitly trust that certificate from each of your clients, or you start a new CA (takes just a minute with OpenSSL), sign a certificate for service.lan and deploy the CA root certificate to your clients as trust anchor.

    • 2

  2. Based on comments discussion you can use for example Apache and set something like: using the module mod_authz_host and the Require directives.

    <Directory /var/www/web/>
  Require host localhost
  Require ip 127.0.0.1
  Require ip 192.168.0
</Directory>

    (above I suppose your local network is 192.168.0.0/24)

    This config will limit the access to localhost/127.0.0.1 and all the hosts in network 192.168.0.0/24

    • 0

  3. I'm not sure if arrived at the idea of registering/configuring a domain and buying a certificate by accident or design - but in the absence of experience with network configuration and systems administration, this is the probably the shortest route to your goal.

    Alternative approaches would be to

    • provision the website on the internet, only allow access the ACME path and get a free certificate from LetsEncrypt (which also requires that you have a valid public DNS record - hence a reasonably static IP or dynamic DNS service)
    • build your own certificate authority, distribute the CA cert to the clients and use that to sign a certificate for the service
    • or not use TLS at all (not recommended).

    You will need a registered domain with records to obtain a certificate from a third party certificate authority. If you choose one of the other methods, then you don't need a registered domain / publicly accessible DNS records - you could (for eaxmple) use dnsmasq for your internal DNS (easy to provision overrides of specific DNS names).

    As long as your internet connection does not permit external access to the IP address of the host you don't need additional security controls, but adding them now might prevent accidents in future.

    • -1