This is typically done in a location or directory tag like so:
<location /secure_content/>
Order Deny,Allow
Deny from all
Allow from .intranet.mycompany.com
</location>
This effectively denies access to everyone, and only opens it up to computers on your companies intranet domain. One major problem with Oracle's out of the box configuration is that Apache sit's behind webcache and all requests are funneled through WebCache first. If you look at the Apache access logs, the IP address is the same for everyone. This becomes a problem if you want to secure something to only allow local (on that server) access, and deny anyone else from accessing it (as is the case with many web services). Because each request to apache is indistinguishable, there is no way to secure it by default.
However, after digging around metalink for a while, I found a very useful and undocumented Apache directive that addresses this issue (I couldnt find it anywhere atleast).
In order to have apache process the actual client IP address, instead of the webcahce IP address, set this directive in httpd.conf:
UseWebCacheIp On
The values here are somewhat counter-intuitive. One would think ON means use the Webcache IP address, and off means use the clients IP. But its the opposite actually.
Set to ON, Apache uses the IP address supplied to Webcache (ie, the client IP). Set to OFF, and apache uses the IP address that it was supplied with (which is always webcache's IP address). So with this set to ON, apache will always see the actual client IP address and should be able to process those allow/deny statements properly.
You will also see valid values in the apache access logs now too. Although, another word of caution about that. If you are looking to mine data from the access logs, use the Webcache logs, as a properly functioning webcache will prevent many requests from ever hitting Apache.
