sys·ad·min·ol·o·gy [sis-ad-mih-nol-uh-jee]

noun

  1. The scientific study of system administration and related phenomena.

Friday, 16 May 2014

Exclude Sub Directories From Apache's Directory Directive

Recently I had the need to "soft release" a web site to our internal users BEFORE releasing it to the world at large.

So the requirement is that users accessing the site from any internal network, need to see the site, anyone else should see an splash page "We're upgrading whizbang.website"


This is what I did. First, we already a DirectoryMatch stanza defined:

<DirectoryMatch "/var/www/whizbang.website/|help-uploads|/var/www/other-resources">
        Options +Includes
        Order allow,deny
        Allow from all
</DirectoryMatch>

/var/www/whizbang.website is the documentroot of the site.

So we change this to this to only allow RFC1918 addresses access:

<DirectoryMatch "/var/www/whizbang.website/|help-uploads|/var/www/other-resources">
        Options +Includes
        Order deny,allow
        deny from all
        allow from 192.168.0.0/16
        allow from 10.0.0.0/8
</DirectoryMatch>

All well and good. If anyone with a non RFC1918 address accesses the site, they will see the default 403 Forbidden message. That looks a bit horrid, so lets define our own.

ErrorDocument 403 /outage/some_nice_outage_message.html

Great. But visitors from the Internet will still get a 403 with an additional 403 because /outage/some_nice_outage_message.html is relative to the DocumentRoot of the site, and we have told Apache that the Internet at large doesn't have access to it.

Rather than completely re-write the DirectoryMatch regex to account for all the folders that need the "Options +Includes" option, we can use a negative look ahead to exclude our outage folder from the DirectoryMatch stanza:

<DirectoryMatch "/var/www/whizbang.website/(?!outage)|help-uploads|/var/www/other-resources">
        Options +Includes
        Order deny,allow
        deny from all
        allow from 192.168.0.0/16
        allow from 10.0.0.0/8
</DirectoryMatch>

This way it will match /var/www/whizbang.website/anything but critically NOT /var/www/whizbang.website/outage

Clients accessing from the Internet will see our friendly outage page, users on the internal network, will get the website as intended.

No comments:

Post a Comment