Problem:
At work my department had an internal site which was accessible only from a certain IP address. So having the following works great:
[code]AuthName "Internal Portal"AuthUserFile "/var/www/internal/.htpasswd"
require valid-user
Order Deny,Allow
Deny from all
Allow from 192.168.1.100
Satisfy Any[/code]
However our firewall settings prevented the functionality I needed (the sites are on our gateway, which does not allow traffic to itself via the outside world, so some WordPress features just wouldn’t work) so I decided to put our site on our regular cPanel server. And since it is no longer on the inside, the above code will not work as the internal IPs are not forwarded out. Now if you are in a private business environment (no one from the public uses your systems) and you want everyone from ONLY your office to have access, everyone else gets the Authentication window (for access from Home by authorized users), then you could use the following:
[code]AuthName "Internal Portal"AuthUserFile "/home/username/.htpasswds/public_html/directory/passwd"
require valid-user
Order Deny,Allow
Deny from all
Allow from [your external IP goes here] Satisfy Any[/code]
Now in my situation things get a bit more tricky, since all systems, including our publicly accessed computer centre, are all on the same pubic IP, although it would block users from home, it would not stop the public using our computer centre from accessing.
In order to make it secure as possible, I need a way of making it recognize only a few machines internally. This can be done. but it needs to have two .htaccess files, one internal, one external.
Solution
I will explain by words first I keep the internal .htaccess file I mentioned above, allowing all the IP’s I need to have access, but I move it to the root of the web server (add more security). This makes sure that only the systems I want to have access are granted access to the file that will get me on the web server.
In the root folder where I placed the internal .htacces I create a new folder and create an index.html file that has the refresh header code set to the site on the external server. For instance say my internal server is 192.168.1.1, which is where I put my .htaccess file. I would put the forwarder into a sub folder with a name someone could remember – i.e. portal. Now in my case its a lot easier than that as the computers that will have access have short-cuts on the desktop so they don’t have to memorize it which means I can have the added security of having a randomly, easily forgettable folder name. The reason for this, is to prevent spoofing, someone may realize its an internal IP referral, but they would have to guess the internal folder name as well which makes it that much harder for an unauthorized person to have access.
Now on the server, in the directory I wish to keep private, the .htaccess file only allows access to those who come from 192.168.1.1/portal. This works because the internal server sends out the referral as its internal IP and not the external, unlike a client system which sends out its public IP. Now I also have to add my external website as a referer as well so that when I change pages, it allows me to, other wise it will block you as you are not coming from 192.168.1.1/portal.
Here are the two files:
Internal Server:
[code]AuthName "Intenral Portal"AuthUserFile "/var/www/.htpasswd"
require valid-user
Order Deny,Allow
Deny from all
Allow from 192.168.1.100
Allow from 192.168.1.101
Allow from 192.168.1.102
Satisfy Any
[/code]
On the External server:
[code]SetEnvIf Referer "^http://192.168.1.1/portal/" noauth=1SetEnvIf Referer "^http://external.site.com" noauth=1
AuthType Basic
AuthName "Intenral Portal"
AuthUserFile "/home/username/.htpasswds/public_html/directory/passwd"
require valid-user
Order Deny,Allow
Deny from all
Allow from env=noauth
Satisfy Any[/code]
Note, on the external ones, generate your .htaccess file via the cPanel Password Protect Directories manager, makes life a lot simpler. For the internal ones, just use any .htpasswd generator on the web and enter it manually.