We have a Zend (1.12.20) php webapp that runs on AWS via docker containers. We also have nginx routing requests between this php webapp and other webapps.
The php webapp has a public front-end and an administrative back-end. i.e.
http://public-url.com
http://public-url.com/administrative-backend
We want to limit access to http://public-url.com/administrative-backend to only users that are on a site-to-site vpn while keeping the public frontend accessible to all of the internet.
Which layer of the stack should this be implemented in? Is AWS capable of distinguishing requests to a particular URL served by a container and making some of them require VPN authorization? Can nginx handle this somehow?
How can I limit access to a specific portion of a php webapp to vpn users while leaving the rest of the webapp publicly accessible?
You can use nginx to allow access to / to the public, but allow access to /administrative backend only from authorized IPs/networks like so:
location ~ /administrative-backend {
allow 172.31.0.0/16;
deny all;
}
172.31.0.0/16 could be your VPC or VPN's IP address. Please check http://nginx.org/en/docs/http/ngx_http_core_module.html#location for more details.
If you're looking for something built into AWS, it has tools to route traffic depending on the request path (in this case /* vs /administrative-backend/*). Check out application load balancers (not the classic ELB) https://aws.amazon.com/elasticloadbalancing/applicationloadbalancer/.
What I would do though, fore more security, is put the public and private (admin) in separate containers. Just disable all the admin stuff in the container that would serve the public.