Lock web app only work for intranet

Question

some week in the future i will have job to create php web app that will work as billing process. As the client and my team agree upon, the web app will only deploy in their internal server. This need arose some fundamental questions for myself.

1. how do we lock the web app really really will work only in internal server and not in internet as it asked ? cause this need, the cost for the job have been cut into some degree. so it will be best if it only work as client describe it : it will be deploy in intranet an intranet only
2. What is the pro and cons deploy php application only (with all of its apache server )in intranet ?
3. What is the fundamental different between deploying php app in intranet environment and in internet ? is there anything to be consider ?
4. I know we can put windows in to a flash-disk or pen-disk. i there any autorun apache/php server that work in the same fashion ?

Answer 1

Just deploy a WAMP (or LAMP) server with your application on a server inside the company firewall on their network.

Users then access your application via the servername. e.g. if the machine name is "Elmo", then users just access your app with:

http://elmo/index.php

(this is presuming a single app running on the server on the default port 80)

The trick here, is that if this machine is not connected to the Internet, and you need to update it from outside, you'll need to have some other access e.g. SFTP

Answer 2

1. If the intranet is not connected to the internet, you can verify that by pinging a well-known site, such as your domain or google.com, and refusing to operate if it answers. But such intranets are becoming rare. Maybe it would be easier to restrict max number of users (total or concurrent) - verifying that an application is not accessible from outside can be difficult.

2. Less attempts to hack the application (behind company firewall) - that's the pro and a con, because then you may be tempted to pay less attention to security considerations because "well, it's an internal app!"

3. No fundamental difference. In large organizations, usually some form of single sign-on is used and you will have to integrate that; also, server configuration and software may be restricted by IT.

4. XAMPP can be run from a pen drive, so if you can boot Windows from there and instruct it to run XAMPP this should be possible.

Answer 3

Set up your apache configuration so that only the internal network is allowed to access the billing system using mod_authz_host.

<Directory /billing-system/docroot>
Order Deny,Allow
Deny from all
Allow from *internal ip range*
</Directory>

Refer to http://httpd.apache.org/docs/2.1/mod/mod_authz_host.html#allow for more information.