On Thursday 08 November 2001 11:59 am, michael.ryan@storm.ie wrote:
I have a situation where I want to allow a customer coming from a fixed IP address to be able to view a web site on an IIS machine on the internal network and disallow access to this site from any other IP.
Is it possible to configure a virtual host entry on Apache to allow/disallow a redirect based on the originating IP or is there a better way to achieve the same result? (also, I have SuSEfirewall v4.8 running)
I would consider doing this at the firewall rather than at the web server. You could selectively forward TCP requests from this customer's IP to your firewall's IP but on a specific port (privileged port, but otherwise unused) into your internal network to the web server on port 80. That would give this customer access to anything on that particular web server. This is a little scary, in that if someone else spoofs the IP address of your customer they could gain access to that web site as well. You could also consider the better solution of creating a VPN with tunneling capability. SSH or IPsec can do this, and probably other solutions as well. The VPN option has the advantage of encrypting traffic between your privileged web site and the customer's end of the VPN. I would not rely much on the web server itself being selective about who comes in, by IP address, but you could (and should) use that type of security in addition to the firewall/VPN security for added protection. Layering is good! Scott -- -----------------------+------------------------------------------------------ Scott Courtney | "I don't mind Microsoft making money. I mind them courtney@4th.com | having a bad operating system." -- Linus Torvalds http://www.4th.com/ | ("The Rebel Code," NY Times, 21 February 1999)