Here, I have 2 groups (sysnet and prod) that are authorized to connect.
Skip Authentication for Specific IP Addresses
I need monitoring screens to access Nagios without authentication while keeping LDAP authentication for other users. Building on the example above, here are the lines to modify:
This way, IPs from the 10.100.10.0/24 subnet don't need to authenticate while others do. To decide whether to validate one solution or the other, I use the Satisfy Any directive. We can put 'Satisfy All' if we want all conditions to be validated.
Creating Redirects
If you want to protect a specific folder, you have 2 methods:
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><htmlxmlns="http://www.w3.org/1999/xhtml"><head><metahttp-equiv="content-type"content="text/html; charset=ISO-8859-1"/><metahttp-equiv="refresh"content="0; url=http://www.google.com"/><title>www.deimos.fr</title><metaname="robots"content="noindex,follow"/></head><body><p><ahref="http://www.google.com">Please wait while redirecting...</a></p></body></html>
VirtualHost
When we have an Apache server at the front end and want to redirect traffic to other Apache servers at the back end, we need to activate mod_proxy. Here's an example:
ProxyRequestsOff
NameVirtualHost1.2.3.4# IP of your box<VirtualHost1.2.3.4># Website managed by ApacheServerNamewww.domain.tld
DocumentRoot/var/www/htdocs/# etc...</VirtualHost>
<VirtualHost1.2.3.4>
ServerNamewww.domain2.tld
ErrorLogblabla
CustomLogblabla
ProxyPassReverse/
http://127.0.0.1:8002/
</VirtualHost>
<VirtualHost1.2.3.4>
ServerNamewww.domain3.tld
ErrorLogblabla
CustomLogblabla
ProxyPassReverse/
http://127.0.0.1:8003/
</VirtualHost>
Here, depending on the URL the client entered, there will be automatic redirects to other servers.
URL Rewriting Redirects
Here's an example of URL rewriting. This allows redirecting cvsweb.mydomain.com automatically to the correct URL and cleaning up the URL as well. I changed from:
It's possible to block access to all kinds of browsers. If like me, you're not friends with IE which breaks your PNGs in version 6, doesn't respect standards, breaks CSS, etc., it might be convenient to block it and politely direct the user to download Firefox as soon as possible.
For this, we'll use the rewrite mode. It must be enabled as described above. Then add these lines in the desired folder (Directory for the entire site for example) in sites-enabled/000-default:
<Directory/>...
AllowOverrideFileInfo
<IfModulemod_rewrite.c>RewriteEngineonRewriteCond%{HTTP_USER_AGENT}.*MSIE.*
# opera sometimes pretends to be IERewriteCond%{HTTP_USER_AGENT}!.*Opera.*
# avoid infinite loop in conditionsRewriteCond%{REQUEST_FILENAME}!.*ie.html
# redirect to a page explaining the reasons for rejectionRewriteRule.*/ie.html[L]
</IfModule></Directory>
All that's left is to create the ie.html file and put your nice text in it (you can also make a simple text file). Here's what I use (/var/www/ie.html):
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><metahttp-equiv="Content-Type"content="text/html; charset=utf-8"/><title>Access Forbidden with Internet Explorer</title></head><body> Dear Internet User,<br/><br/> This site cannot be accessed using Internet Explorer.<br/> You should now understand that times are changing.<br/><br/> You are currently using a browser (Internet Explorer) that doesn't<br/> respect <ahref="http://www.w3.org">standards</a> and holds a monopoly due
to its mandatory omnipresence in<br/> your dear OS (Windows). That said, perhaps you're at work and don't have a
choice of OS.<br/><br/> However, Internet Explorer should no longer be used when there are many<br/> other free, open-source browsers that respect standards!<br/> But since you don't seem to be aware of this, it's okay, let me help you.<br/><br/> To begin with, you can download a clean browser like
<ahref="http://www.mozilla.org">Firefox</a>.<br/> This would already help you get on the right track and will allow you to
access<br/> my site.<br/><br/> Still on your new quest to the light side of the force, you should switch
to<br/> a free, open-source OS (<ahref="http://www.ubuntu.com">Ubuntu</a> for
example) that will surely make you happy.<br/><br/> I encourage you to take control as soon as possible.<br/><br/> Regards,<br/> Pierre (aka Deimos)
</body></html>
Public Folders
Public folders are used to have multiple clients on a server where each has their own personal space. The practice is quite simple: we have, for example, the user toto who has a "public_html" folder in their home directory, and their web server is accessible via "http://server/~toto". I did this on OpenBSD with Apache 1.3; normally for version 2, the syntax is the same. So here's the configuration to add:
You can also see that I changed the header of my main pages with the "HeaderName" option. This header.htm file must be located in the "DocumentRoot" folder when called by "/".
Here's an example with a mix of BSD authentication + IP restriction:
Just create the .header.htm and .footer.htm files and put whatever you want in them :-)
Advanced
Sometimes you might want to make things a little more interactive than just simple HTML. But you'll run into a significant problem since it simply won't be able to interpret your code. In my case, I wanted to do it in PHP, so here's the solution. In your Directory section, where you already have your lines containing HeaderName and ReadmeName, you should insert these lines:
# In order for the PHP file to execute in a header, need to have a major type of textAddTypetext/html.php
AddHandlerapplication/x-httpd-php.php
Options-Indexes
HeaderName/.header.htm
ReadmeName/.footer.php
And now I have my footer in PHP :-). You can follow the explanations on Apache's website. You can also use CGI, etc.
Enable PHP Compression
PHP5 compression will save us precious seconds on page display. To enable it, edit the following file and set the parameter to "on":