Opening port securely

I'm operating a webapp that should be accessible only to a small number of people equipped with tablets. It is served on port 80 of a server that is on our local network behind the ISP router.

The question is : how can I ensure access to authorized user without any other user being able to access it ? Non authorized users should end with a connection reset as if port was not open.

I thought of opening a port on the router, redirecting it to the server and securing it with a certificate but is that even possible ?

Another solution could be installing a VPN but it may be too difficult to manage for some users.

Solution 1:

There are many ways to go about this, but the right one depends on what other security mechanisms you have in place. Examples:

• Client certificates. This is very possible, except you want to use port 80, which is typically unencrypted. You would need to reconfigure your web server or put a proxy in front of it, but this is certainly possible. Doing it with Apache is described here, https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#allclients
• Filter by IP or MAC address at the network level, i.e. in the firewall.
• Use a VPN as you mentioned. This can be made reasonably transparent for users.
• Check for an authentication header on the web server, or on a proxy in front of it.

There's undoubtedly more. Some of them are not suitable unless you have additional authentication methods in place, e.g. MAC addresses are easily spoofed. Other options become available if you relax the requirement for the network port to appear closed, because many authentication methods do not operate until the port is opened.