Most companies will want to run two Web servers, one for public viewing and one for private use. There are different strategies available to keep these separate.
One Server, Two Directory Trees The simplest way to have separate internal and external areas is to set up different directory areas on a single Web server. You can then use the Limit directive in the access.conf file to allow internal IP addresses access only to the private tree.
You must define restrictions for all directories, not just DocumentRoot. This includes alias and script directories. This is done by using the directives Limit and AllowOverides.
To set up the directory trees do the following:
Create two directories. One for internal and one for external access. They must not be subdirectories of each other.
Use the Limit directive to only allow internal IP addresses to get to the internal directory.
Disable per-directory overrides to make sure your Limit directive stays enforced. You can do this by using the AllowOverides directive. Set this to none.
Using the same server is the cheapest solution and can be used if there are no alternatives or your internal data is not that important. If the server is compromised, not only is your external data in danger, but your internal data is compromised as well.
One Machine, Two Servers This strategy also only uses one machine and allows security for the cost-conscious. It offers slightly more protection than the previous example but is not the most secure option available.
Using this technique, you create two separate http configurations, including configuration files and DocumentRoots. This allows you to run separate server processes for internal and external accesses. You will probably want to run your external server on port 80 since that is where most people will look for it. Your internal serve can then run on any unused port.
Running separate servers allow you to configure your internal server to be more or less restrictive then your external server.
The following is how one sets up multiple servers on one machine:
Create two separate server directories, including configuration and document directories.
Configure your external server as you normally would, but configure your internal one with the same restrictions as the previous procedure. (Use the Limit and AllowOverides directives.)
Configure your Internal server to use the non-standard port. This is done in either the httpd.conf file, using the Port directive, or in the inetd.conf file.
When you start your httpd server, you may need to use the -d or -f flags to point to the right configuration files.
Two Machines, One Network A better alternative to using one machine is to use two machines: one that serves the external pages, and one for internal access.
Using two machines protects your data - so long as unauthorized access remains restricted to only the one machine, then your internal and external Web pages will never both be placed in jeopardy.
If any machine on your network has been compromised, it is possible that all of them have been. Crackers can install sniffer programs to watch the network for passwords and store them in a file or e-mail them to the cracker. The only way to get around this is to always encrypt your traffic.
UNIX machines also can be set up to trust one another, either by creating a "/etc/hosts.equiv" file or by putting a ".rhosts" file in your home directory. Trusting a machine that has been compromised is a sure way to get broken into. Never trust your external Web server.
If one of your servers is compromised, that machine can be used to break into other machines on your network, either by installing a sniffer or taking advantage of host trust.
Two Machines, Two Networks Having your two machines on the same network, as in the previous scenario, can be a problem if one of them is compromised.
An even better alternative is to separate the two machines by a firewall. This firewall can be as simple as a screening router or a series of routers and application gateways.