homepage Welcome to WebmasterWorld Guest from 54.197.183.230
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Different LAN- and WAN-user area in Apache
lan wan apache iptables
jacobp

5+ Year Member



 
Msg#: 3191 posted 7:58 am on Mar 24, 2005 (gmt 0)

Hello,

I have a Linux-server there is running as a gateway with Red Hat 9.0 and Apache. I'm using iptables in my firewall.

How can I send my LAN-users to "/var/www/html/int" and the WAN-users to "/var/www/html/ext"?

Jacob

 

sitz

5+ Year Member



 
Msg#: 3191 posted 2:09 am on Mar 25, 2005 (gmt 0)

Use mod_rewrite; if your LAN IPs are all 192.168.1.*, then:

RewriteEngine on
#
# LAN
RewriteCond %{REMOTE_ADDR} ^192\.168\.1\.
RewriteRule ^/(.*) /var/www/html/int/$1 [L]

#
# WAN
RewriteRule ^/(.*) /var/www/html/ext/$1 [L]

Of course, you could just set the DocumentRoot for the site to be /var/www/html/ext/ and just Rewrite the LAN requests. Note that the IP string ("192\.168\.1\." above) is just a string comparison; mod_rewrite doesn't grok netmasks or CIDR blocks for this sort of thing.

jacobp

5+ Year Member



 
Msg#: 3191 posted 9:40 pm on Mar 25, 2005 (gmt 0)

Hello,

Thank you for the answer. But now I have a new problem ;-(

My LAN IP-range is 192.168.100.30 -> 192.168.100.50

This line is not working - Apache sending all LAN-users to "/var/www/html/ext":

RewriteCond %{REMOTE_ADDR} ^192\.168\.100\.
RewriteRule ^/(.*) /var/www/html/int/$1 [L]

Can you tell me why?

Jacob

sitz

5+ Year Member



 
Msg#: 3191 posted 4:00 am on Mar 26, 2005 (gmt 0)

Not without a little more data. =)

1) Does your access log confirm that the requests are coming from 192.168.100.*? If your internal users are coming via a NAT, they're likely coming through a gateway of some sort, which means you'll only get the gateway IP in the logs. Which means it's the gateway IP you'll need to use in your RewriteCond.

2) If that doesn't help, does this server do little enough traffic that you could turn on some REALLY heavy logging for a few minutes? Maybe late in the evening? If so, you could add the following lines:

RewriteLog /var/log/rewrite.log
RewriteLogLevel 9

...bounce Apache, and make a few requests from the LAN to gather debugging data. Then you can comment out those lines and bounce Apache again.

jacobp

5+ Year Member



 
Msg#: 3191 posted 11:34 am on Mar 27, 2005 (gmt 0)

Hello,

I have solve the problem, just I use my public IP-address.

Thanks for your answer - have a nice day :-)

Jacob

Hanu

10+ Year Member



 
Msg#: 3191 posted 11:58 am on Mar 27, 2005 (gmt 0)

Let me throw in an alternative. It doesn't need mod_rewrite and may be a bit more secure. It only works if the web server's internal interface has a DNS name.


NameVirtualHost *

<VirtualHost *>
DocumentRoot /var/www/html/ext
</VirtualHost>

<VirtualHost internal-host-name>
DocumentRoot "/var/www/html/int"
</VirtualHost>


sitz

5+ Year Member



 
Msg#: 3191 posted 1:56 pm on Mar 27, 2005 (gmt 0)

This won't work unless the internal hosts access the server by the internal host name; Accessing the internal site and the external site by different hostnames may not be practical (for instance, the HTML could be written with absolute URLs in in all hyperlinks. Which would, I'll grant you, be suboptimal (to say the least), but I've seen sillier things.)

Alternatively, one *could* play tricks in DNS whereby the internal workstations resolved 'www.example.com' as 192.168.1.1 and everything outside resolved it as a publically routable IP. Of course, *all* this assumes that the internal webserver and the internal workstations networked in such a way that requests to the internal hostname would NOT be routed through the NAT gateway IP address.

You're right, of course; in some situations, multiple virtual hosts would be easier. As with most things, It Depends(tm). =)

Hanu

10+ Year Member



 
Msg#: 3191 posted 9:42 am on Mar 28, 2005 (gmt 0)

> This won't work unless the internal hosts access the server by the internal host name

or if the server has two different interfaces and the internal host name used for the second VirtualHost is resolved into the IP address of the internal interface. If the names used for VirtualHost statements are resolved into different IP addresses (or if an IP adress is specified instead of a name), Apache uses the destination IP of requests, to assign the requests to VirtualHosts. OTOH, if the VirtualHost names are resolved into the same IP address, Apache looks at the server name in the HTTP request header. Only in that case it matters what name the clients access the server by.

The reason I recommend this solution is that the decision is made very early on and misconfiguration is less likely to cause a security breach. Mod_rewrite statements are evaluated a lot later in the request handling when a DocumentRoot is already known for a request.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved