Originally posted by Donboy
I assume the problem is your users are putting a full hostname into the .htaccess files. What about using a partial domain name? They can just put "domainname.com" instead of putting the www or www2 at the beginning. This depends on your dns being setup correctly. They can also use IP addresses instead of hostnames.
No, not really. The problem is that the users are wanting to restrict access to certain subdirectories to the local network (for example) so are putting in the partial IP address which will map to only computers on the network they want to restrict too, the problem is the when the www2. server gets the request, which is proxied through www, the only IP address it knows about is that of the www server and thus ALL requests are allowed, regardless of where they originate.
For example, let's assume...
local network = 192.168.0.0/255.255.255.0
Machines IP's are...
www server IP is 192.168.0.1
www2 server IP is 192.168.0.2
A user's .htaccess file states...
Deny from all
Allow from 192.168.0.
... thus limiting to local network only.
url points too 192.168.0.1.
someone with an IP of 192.168.5.44 makes a request for ...
... The .htaccess file should mean that this request is denied. However...
192.168.0.1 recieves the request, follows the rewrite rule which proxies this request to www2.domainname.com/~username.
192.168.0.2 recieves a request for...
... and processes it, see's the .htaccess file in the user's homespace, looks at it and compairs the IP address of the machine making the request with that in the 'allow from' line. The ONLY IP address that the machine knows about is 192.168.0.1 (the machine that is proxying the request), since 192.168.0.1 matches the 'allow from' line it continues to process the request, forwards the requested page to the client (192.168.0.1).
192.168.0.1 recieves the page from 192.168.0.2, does a little rewriting of the HTML urls and then forwards that page onto the client who requested it in the first place (192.168.5.44).
192.168.5.44 recieves the page and displays it on in the broswer even though the site has a .htaccess file that should restrict it to only IP address 192.168.0.