I have two servers, one a development server that is accessible internally on our company's local network and the other a public-facing web server. The development server hosts several tools that we use to manage our projects internally but now we need to access them externally too whilst maintaining security.
I have set up mod_proxy on the external server using the ProxyPass and ProxyPassReverse directives to map external requests to the internal server. I have also set up authentication on these external virtual hosts to provide security for outside access. I also need to use SSL for external access but would ideally prefer to keep the internal tools accessible by plain HTTP for people within the intranet.
Is it possible to achieve this behaviour and if so what directives and Apache modules should I be using and on which servers do they need to be setup?
I'm going to make the assumption that you do accept HTTP connections for the public, but you do a standard HTTP redirect to force them to HTTPS.
If this is the case, then you can alter your HTTP directives to not redirect if you are part of the internal network.
To do this, you want to use Apache's mod_rewrite and filter on REMOTE_ADDR. Essentially, you want to redirect everything that does not match your network.
The other option, and probably the safer one, is to just have your internal users use a different service address than the public one. Have them connect to myservice.mydomain.local instead of myservice.mydomain.com.
Can you create 2 different virtual hosts in the Apache config, each that respond on different IPs, although still use the same doc root? On your router, have it respond to example.com with 192.168.1.1, while outside it will respond with 342.434.564.23. Or have everyone use a different address when they are in the office (internal.example.com).
If you're using Linux, research
iptables
for firewalling. If Windows, you can use IPSec policies to simulate similar firewall rules.Basically, you'll assign rules based on the source IP subnet. If a connection comes from your internal network, block HTTPS. Otherwise, block HTTP.
You're best of using firewall rules to restrict this.
I don't think Apache has a feature to implement this, even if it did it would produce overhead. Firewalls are designed for things like this and thus would be more appropriate. I'm assuming you have an external firewall (I hope you do), you should only allow port 443 to this machine and block port 80 externally.
You could if you really wanted to use Apache use two virtual hosts, one listening on an internal and another on an external IP. This would however double up configuration and thus I wouldn't recommend it as it'll be a pain to maintain.
Edit: Sorry, Apache can do this via mod_rewrite but it'll put overhead on the requests and it would still be more appropriate to use a firewall. That said, with the mod_rewrite you're able to redirect people from http to https which could be handy if people are constantly attempting to access http.