Welcome to WebmasterWorld Guest from 54.163.168.15

Forum Moderators: Ocean10000 & incrediBILL & phranque

Different LAN- and WAN-user area in Apache

lan wan apache iptables

   
7:58 am on Mar 24, 2005 (gmt 0)

10+ Year Member



Hello,

I have a Linux-server there is running as a gateway with Red Hat 9.0 and Apache. I'm using iptables in my firewall.

How can I send my LAN-users to "/var/www/html/int" and the WAN-users to "/var/www/html/ext"?

Jacob

2:09 am on Mar 25, 2005 (gmt 0)

10+ Year Member



Use mod_rewrite; if your LAN IPs are all 192.168.1.*, then:

RewriteEngine on
#
# LAN
RewriteCond %{REMOTE_ADDR} ^192\.168\.1\.
RewriteRule ^/(.*) /var/www/html/int/$1 [L]

#
# WAN
RewriteRule ^/(.*) /var/www/html/ext/$1 [L]

Of course, you could just set the DocumentRoot for the site to be /var/www/html/ext/ and just Rewrite the LAN requests. Note that the IP string ("192\.168\.1\." above) is just a string comparison; mod_rewrite doesn't grok netmasks or CIDR blocks for this sort of thing.

9:40 pm on Mar 25, 2005 (gmt 0)

10+ Year Member



Hello,

Thank you for the answer. But now I have a new problem ;-(

My LAN IP-range is 192.168.100.30 -> 192.168.100.50

This line is not working - Apache sending all LAN-users to "/var/www/html/ext":


RewriteCond %{REMOTE_ADDR} ^192\.168\.100\.
RewriteRule ^/(.*) /var/www/html/int/$1 [L]

Can you tell me why?

Jacob

4:00 am on Mar 26, 2005 (gmt 0)

10+ Year Member



Not without a little more data. =)

1) Does your access log confirm that the requests are coming from 192.168.100.*? If your internal users are coming via a NAT, they're likely coming through a gateway of some sort, which means you'll only get the gateway IP in the logs. Which means it's the gateway IP you'll need to use in your RewriteCond.

2) If that doesn't help, does this server do little enough traffic that you could turn on some REALLY heavy logging for a few minutes? Maybe late in the evening? If so, you could add the following lines:


RewriteLog /var/log/rewrite.log
RewriteLogLevel 9

...bounce Apache, and make a few requests from the LAN to gather debugging data. Then you can comment out those lines and bounce Apache again.
11:34 am on Mar 27, 2005 (gmt 0)

10+ Year Member



Hello,

I have solve the problem, just I use my public IP-address.

Thanks for your answer - have a nice day :-)

Jacob

11:58 am on Mar 27, 2005 (gmt 0)

10+ Year Member



Let me throw in an alternative. It doesn't need mod_rewrite and may be a bit more secure. It only works if the web server's internal interface has a DNS name.


NameVirtualHost *

<VirtualHost *>
DocumentRoot /var/www/html/ext
</VirtualHost>

<VirtualHost internal-host-name>
DocumentRoot "/var/www/html/int"
</VirtualHost>

1:56 pm on Mar 27, 2005 (gmt 0)

10+ Year Member



This won't work unless the internal hosts access the server by the internal host name; Accessing the internal site and the external site by different hostnames may not be practical (for instance, the HTML could be written with absolute URLs in in all hyperlinks. Which would, I'll grant you, be suboptimal (to say the least), but I've seen sillier things.)

Alternatively, one *could* play tricks in DNS whereby the internal workstations resolved 'www.example.com' as 192.168.1.1 and everything outside resolved it as a publically routable IP. Of course, *all* this assumes that the internal webserver and the internal workstations networked in such a way that requests to the internal hostname would NOT be routed through the NAT gateway IP address.

You're right, of course; in some situations, multiple virtual hosts would be easier. As with most things, It Depends(tm). =)

9:42 am on Mar 28, 2005 (gmt 0)

10+ Year Member



> This won't work unless the internal hosts access the server by the internal host name

or if the server has two different interfaces and the internal host name used for the second VirtualHost is resolved into the IP address of the internal interface. If the names used for VirtualHost statements are resolved into different IP addresses (or if an IP adress is specified instead of a name), Apache uses the destination IP of requests, to assign the requests to VirtualHosts. OTOH, if the VirtualHost names are resolved into the same IP address, Apache looks at the server name in the HTTP request header. Only in that case it matters what name the clients access the server by.

The reason I recommend this solution is that the decision is made very early on and misconfiguration is less likely to cause a security breach. Mod_rewrite statements are evaluated a lot later in the request handling when a DocumentRoot is already known for a request.

 

Featured Threads

My Threads

Hot Threads This Week

Hot Threads This Month