I've built a Slack App for our team.
I was able to create a Slack Button and used that to authorize the app with oauth.access
My Slack App adds a Slash Command to a channel in Slack
So far so good.
The Slash Command needs a
I would run the request page on a separate server in your DMZ functioning as proxy to the internal application server. Here is a brief description:
The php script for the request url (=request page) needs to be accessible to the public internet, so that Slack can call it. I would put it on a separate server and I would put that server in the DMZ of your company. That is usually the best place for servers that need to be accessible from the outside, but also need to access servers on the inside of your company. Make sure to use SSL and the verification token to secure your calls from Slack.
The request page can run on a small server and will need to have a webserver (e.g. apache) and php. If you planning to have more complex requests you may also need a database. It will also need to run SSL, so you will need a certificate. You can also use your existing webserver to the outside (example.com) if is meets these requirements.
The request page needs to have access to your application server, e.g. via VPN. It would need to function as proxy: receive the request from Slack, make requests to the application server based on the specifics of the slash command and then return the info back to Slack.
Another important point is user authentication. I read from your question that not all users on your Slack team should have access to the application server, so your request script needs to have a method to distinguish which users are allowed access and which are not. It would be easiest, if these users could be identified by membership of a specific Slack group. In any case you probably would need an additional bot that ensures mapping of Slack users to VPN users.