block access to webgui via hotspot

[tom-321]

Can I block access to webgui via hotspot and only allow it via lan ?

[billz]

Yes, there are two ways to do this. The simplest method is to set the web server's bind address in RaspAP's System > Advanced tab to your LAN's IPv4 address. See #295

A somewhat cleaner method with a '403 Forbidden' response can be done manually with lighttpd. You could modify lighttpd's main config directly, but to keep things neater we can use RaspAP's own configuration in lighttpd's /conf-available. Edit it like so:

sudo nano /etc/lighttpd/conf-available/50-raspap-router.conf

Add the following to the end, substituting the 192.168.0.0/16 private IPv4 address range (192.168.0.0 – 192.168.255.255) for your own network:

# deny access to RaspAP admin for users that
# are not in the 192.168.0.0/16 network
$HTTP["remoteip"] != "192.168.0.0/16" {
    url.access-deny = ( "" )
}

Save and exit the file, then give lighttpd a kick:

sudo systemctl restart lighttpd.service

Clients outside of your defined network range will receive a '403' response when accessing the web UI.

[tom-321]

👍
It worked
I've edited the 50-raspap-router.conf (would be nice to have a simple Button to turn access on and off ;)

But there is one problem, I also can't access the GUI via the hostname anymore.

[billz]

You can also restrict access by host:

$HTTP["host"] != "raspberrypi.local" {
    url.access-deny = ( "" )
}

...assuming zeroconf/avahi aka Bonjour has mapped the .local domain to an IP on your LAN.

It's also possible to combine both host and remote IP checks.
See https://redmine.lighttpd.net/projects/1/wiki/docs_configuration