Check website availability and reroute

I have a web server in an AWS VPC.  
Only about 50 IP Addresses are open to see the page on this server.  I filter the IP addresses through Security Group, so if someone is not authorized, they cannot touch the machine at all..
 The issue I am running into is that all of the folks that cannot get in simply spin and timeout.  I would like them to get a message "You are not authorized to view this site".  How can I do that before I hit the page?
 I need to be able to check with the users IP address.

Thank you ion advance,
Eric RobuckAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
As it is blocked at security group, not at webserver, you need to trigger the event to do the redirect to another page showing such error message.

With just a simple EC2 web server may not be easy to achieve the above. I suggest that you consider AWS Cloudfront (CDN) and WAF and have the blocked IP be redirected.

Blocking IP Addresses That Submit Bad Requests

Creating a Custom Error Page for Specific HTTP Status Codes

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Likely much easier to maintain this logic at the Webserver level.

At the Webserver level, you'll just route people to 2x pages, depending the privilege you assign each IP.

Keep in mind your entire approach will break down for any use using a VPN or a cell service which heavily uses NAT'ed IPs. In both cases, you may have 1000s of people coming through one IP. Same applies to companies which NAT all users from one office or many through a single IP.

A much better approach will be to just arrange all your content behind a user login screen, so all content is protected.

Only people with a valid login can access site content.

This approach handles all NAT'ed IPs.
Eric RobuckAuthor Commented:
David....thank you.  I agree with your assessment, However the requirement stated that not only must they log in, but they can only be at work when they do it.  This has been the model for them for years, and the only way I can see to do that is through IP addresses :-)
btanExec ConsultantCommented:
Agree on doing it with webserver. But since you are in the AWS already, I believe you will be concern of the website security or at least your security folks will be. Hence using the CDN and WAF are worth considering if not done so and they would help achieve the use cases and more granular rules if required.

That said, there are also resource based access and identity based access in which these access IAM play a key role.

IP based is still possible via IAM which is similar to the security group for the VPC but it can be good if you have source IP that are not dynamic and probably good for blocking non reputable IP.
Eric RobuckAuthor Commented:
Thank you for all the insights...I will follow the cloudfront option and see how it goes!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.