Requiring web users to login via VPN

For compliance reasons, you might want to split traffic coming to an Central server into a public zone for enumerators connecting over the Internet and a private zone for project managers logged in via a VPN.

One benefit of this split structure is that whatever auth constraints you put on access to the private zone (e.g., VPN login with SSO and MFA) are thus applied to Central without needing to turn on Central's SSO support.

An easy way to implement this change is in Central's nginx container. If, for example, you wanted a public zone that only allows form download and submission upload from the public Internet while having a private zone allows everything, but only from your VPN, you would modify odk.conf.template as shown below.

  location /- {

  # public zone
  location ~ ^/v\d/(test|key)/.+/projects/\d+/(submission|formList|forms) {
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://service:8383;
    proxy_redirect off;

    # buffer requests, but not responses, so streaming out works.
    proxy_request_buffering on;
    proxy_buffering off;
    proxy_read_timeout 2m;

  # private zone
  location ~ ^/v\d {
    allow; # your server's public IP
    allow; # your VPN's public IPs

    deny all;
1 Like