Hiding private documentation

By Paul Murphy, author of The Unix Guide to Defenestration

There are lots of legitimate reasons for wanting to use a web server as a communication hub for your work team without making its existence obvious to others. That means you do need to get management sign-off but don't want to put a big sign on the corporate intranet that says "click here for secret project".

Apache virtual hosting combines nicely with some standard Unix facilities to give you what you need -but talk it over with your boss first!

Lets assume you and your colleagues are all on Unix workstations of some kind and that you're going to host this on your Sun box.

First figure out how you're going to manage content and interaction. Personally I like using mySQL with phorum mainly because they meet three conditions: they work; they're free, and they're trivial to install and use, but there are lots of choices.

Secondly get your network manager to reserve a second static ip address for each workstation you plan to allow access to, including your host machine.

Then:

  1. install the apache2 server on your machine (don't forget to add the php module if you plan to use phorum);
  2. install your core pages and/or phorum in htdocs;
  3. set up virtual hosting in conf/httpd.conf using the second ip address for your host;
  4. put a < deny all, allow from list_of_second_ips > directive into the virtual host listing
  5. pick a port that's not in use (90 is usually a good bet) and consider getting your firewall manager to block external access to it;
  6. add a line like "Listen xxx.xxx.xxx.xxx:90" to httpd.conf to bind the apache server to the address and port you've chosen;
  7. on each workstation you want on your private net, plumb a second logical device and use ifconfig to set its ip address ifconfig hme0:1 plumb
    ifconfig hme0:1 inet xxx.xxx.xxx.xxx netmask 255.255.255.xxx up
  8. consider adding a start/stop script for this in rc2.d

And you're done. You now have an almost invisible project network that's very hard for outsiders to find their way into - and easy for you to manage simply by controlling the "allow from" list in httpd.conf.