# Apache authentication from WAN only



## oobayly (Apr 14, 2010)

I'm setting up a (basic) intranet site on our Apache webserver (v.2.2.14), what I'd like to have is certain pages accessible from the LAN, but requests from the WAN need to be authenticated.

I've got directories that are restricted to the LAN by using the *Allow* directive, and I've got directories that require authentication from all locations, but can't seem to work out how to combine them.

Is this actually possible?

Many thanks,
John


----------



## SirDice (Apr 14, 2010)

Set up two websites both pointing to the same webroot.


----------



## oobayly (Apr 14, 2010)

Is that the only way it can be done? If the virtual host declaration is in way complicated, it requires a great deal of duplication. If for example, there are only one or two locations that need to be authenticated when connecting from the WAN it would seem over the top to have two virtual hosts & have to edit both whenever a change is made.

Also, correct me if I'm wrong, but I'd need to have two different hostnames.


----------



## SirDice (Apr 14, 2010)

Run the sites on different IP addresses. Resolve the internal one to IP1, resolve the external one to IP2. Make use of include statements for the common bits. It's just a solution, it might not fit your needs


----------



## oobayly (Apr 14, 2010)

Ok thanks, this may take a bit more planning than I'd first thought. Seeing as all external traffic is forwarded to this machine, I should be able to run the sites on a single IP, but on different ports. There may also be some heavy use of includes too!


----------



## anomie (Apr 14, 2010)

oobayly said:
			
		

> I've got directories that are restricted to the LAN by using the *Allow* directive, and I've got directories that require authentication from all locations, but can't seem to work out how to combine them.



You can also use something like: 

```
<Directory /var/www/foo>

  Order deny, allow
  Deny from all
  Allow from 10.0.50.

  AuthType Basic
  AuthName "My Foo"
  AuthUserFile /usr/local/etc/auth/myusers
  Require valid-user

  Satisfy Any

</Directory>
```

This should allow access if the client system is on 10.0.50/24, _or_ if the client authenticates.


----------



## SirDice (Apr 14, 2010)

That would be a lot easier to do :e


----------



## oobayly (Apr 16, 2010)

That's exactly what I'm looking for. Many thanks.


----------



## zhongyb (May 27, 2010)

anomie said:
			
		

> You can also use something like:
> 
> ```
> <Directory /var/www/foo>
> ...



This is great!


----------

