On 7/25/05, Dick Davies <rasputnik@xxxxxxxxxxxxxxxxx> wrote:
> I have content I want to serve up via http to intranet users, but have
> external IPs authenticate over SSL (mod_auth_ldap).
> # for main network users
> RewriteCond %{REMOTE_ADDR} !^10\.9\..*
> # XXX these are hosed
> # ....or our other two sites
> RewriteCond %{REMOTE_ADDR} !10.0.112.0/20
> RewriteCond %{REMOTE_ADDR} !10.19.64.0/22
> # .... then you need to authenticate
> RewriteRule ^(.*)$ https://server.domain$1 [R,L]
> Now this works fine for the 10.9.0.0/16 network (because it's a class B),
> but since we're just matching a string (REMOTE_ADDR) with no network information
> it isn't going to cut it for the last two sites.
>
> Am I really going to have to have one line for each possible starting string
> for each of the last two subnets?
Well, you will need to build a regex that does the matches. But you
won't need one for every starting string. You can use stuff like
RewriteCond %{REMOTE_ADDR} !^10\.0\.11[2-9]\.*
RewriteCond %{REMOTE_ADDR} !^10\.0\.12[0-7]\.*
which I believe should get the intention of your first line. (Note
also the correct regex escaping of the '.'.)
Alternative techniques include using a RewriteMap to list all the
address (at least down to the /24 level), or going back to mod_access.
For example, you could do something like
Order Allow,Deny
Allow from 10.0.112.0/20
Allow from 10.19.64.0/22
ErrorDocument 403 https://server.domain
(That doesn't necessarily get you to the right exact page. For that,
you'd need to
point your ErrorDocument at a CGI script to do the redirection.)
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|