Password protecting Apache Site for external users only

In order to make an intranet an extranet, you need to place the intranet on a server in the DMZ.
From here, configure a virtual server accordingly (e.g. intranet.site.com.au)

You will need to configure on an internal DNS (or smoothwall /etc/hosts when using a webproxy) a reference to intranet.site.com.au

Your global DNS for site.com.au should not have intranet specified. This should be invalid in some way. For example in my sites, I have a catch all domain that is an unknown.site.com.au and with wildcard DNS, any invalid domain URL’s in the *.site.com.au go here. For example, try http://intranet.ucb.com.au

Now, within your Apache Httpd conf VirtualHost directive you need to add the following.

<Directory "/home/intranet/www">
  Options Indexes

  Order deny,allow
  Deny from all
  Allow from 192.168.100
  Allow from 10.1.1
  Require valid-user
  Satisfy any

  AllowOverride AuthConfig
  AuthType Basic
  AuthName "Administration Access Only"
  AuthUserFile /home/intranet/.htaccess
</Directory>

You just need to create the appropiate .htaccess file, and restart Apache httpd. Access from the internal network is allowed via IP, and everything else must use the authentication model used.

To setup external access, I created a sepearate subdomain called extranet. To further restrict this past basic access, I configured to to connect to the firewall only on port 81, and then had a rule to redirect to port 80 on the DMZ machine.

So what I ended up with was:

http://intranet.site.com.au internally accesses the intranet.
http://intranet.site.com.au externally redirects to a custom invalid/unknown subdomain page
http://extranet.site.com.au throws a browser not error
http://extranet.site.com.au:81 prompts for a username/password to access intranet.

Tagged with: Linux

Related Posts

Why Being Proactive Is Always a Winning Approach

Many companies manage production infrastructure using a reactive model rather than a proactive one. Organizations typically react to warnings and alerts, then implement corrective actions in response. While some companies have well-designed architectural patterns—such as feature flags and rate limiting—that can quickly mitigate the impact of issues, these are merely temporary solutions, not resolutions.

Read more

AWS CLI support for Aurora DSQL and S3 Tables

If you were following the AWS Re:invent keynote yesterday there were several data specific announcements including Aurora DSQL and S3 Tables . Wanting to check them out, I downloaded the latest AWS CLI 2.

Read more

Migrating off of WordPress - A Simplified Stack

The ongoing drama between Wordpress v WP Engine continues to cross my reading list, but I have permanently removed WordPress from my website. I have finally transitioned away from the complex Linux/Apache/MySQL/PHP (LAMP) stack required for self-hosting WordPress on my professional website.

Read more