Recipe 22.12. Keeping LAN Web Sites Off the Internet

22.12.1 Problem

You have a personal web site on your LAN where you keep your calendars, documents, and amusingly edited .jpgs of your coworkers. Or perhaps your company has departmental web sites that are not meant to be exposed to the outside world. Even though your LAN is chock-full of firewalls and bristling with security, you want to be sure that these web sites are not accessible outside the LAN.

22.12.2 Solution

There are two different ways to do this, depending on the type of web site. For an Apache virtual host or a standalone Apache web site, follow this recipe. For a UserDir-type site (described in Recipe 22.8), see Recipe Section 22.13.

Restricting access to your LAN, subnet, or certain domain names is done with simple deny/allow access rules, filtering on IP address, like this:

 <VirtualHost *:80>

 ServerName  www.bratgrrl.com

 ServerAlias  bratgrrl.com  *.bratgrrl.com

 DocumentRoot  /var/www/bratgrrl

 ServerAdmin  admin@bratgrrl.com

 order deny, allow

 allow from 192.168.1.

 deny all

 </VirtualHost>

or using a domain name:

allow from oreilly.net

22.12.3 Discussion

Many businesses rely on all manner of internal web sites that are not for public consumption. Even with elaborate firewalls in place, it only takes a minute to add some extra insurance with access rules.

UserDir pages, which use URLs like oreilly.net/~carla, are protected at the directory level, rather than by the domain name (see the next recipe).

22.12.4 See Also

• Chapter 5 of Apache: The Definitive Guide

• Recipe 22.13