diff --git a/webeos-intranet-test-allow/.htaccess b/webeos-intranet-test-allow/.htaccess
deleted file mode 100644
index 4b4945436c092e10f203c7325d6929b42d465730..0000000000000000000000000000000000000000
--- a/webeos-intranet-test-allow/.htaccess
+++ /dev/null
@@ -1 +0,0 @@
-Allow from .cern.ch
\ No newline at end of file
diff --git a/webeos-intranet-test-deny/.htaccess b/webeos-intranet-test-deny/.htaccess
deleted file mode 100644
index 5f67f9873bc4a15b8c8470d1f7fda571c298ed60..0000000000000000000000000000000000000000
--- a/webeos-intranet-test-deny/.htaccess
+++ /dev/null
@@ -1 +0,0 @@
-Deny from .cern.ch
\ No newline at end of file
diff --git a/webeos-intranet-test/README.md b/webeos-intranet-test/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..fd5c324a00ea3a5edbc9180218446f35d567c3a8
--- /dev/null
+++ b/webeos-intranet-test/README.md
@@ -0,0 +1 @@
+This site is used to test `allow from .cern.ch` (subfolder `allow`) and `deny from .cern.ch` (subfodler `deny`) directives.
diff --git a/webeos-intranet-test/allow/.htaccess b/webeos-intranet-test/allow/.htaccess
new file mode 100644
index 0000000000000000000000000000000000000000..44514a22027829e3475d6cf68e1e38d134bb836a
--- /dev/null
+++ b/webeos-intranet-test/allow/.htaccess
@@ -0,0 +1,10 @@
+# as per https://espace.cern.ch/webservices-help/websitemanagement/ConfiguringAFSSites/Pages/AccesscontrolonAFSsites.aspx
+# However in the new infra, we cannot use a domain like `cern.ch`: Apache 2.4 does not perform DNS lookups for the client IP address
+# set by mod_remoteip from the X-Forwarded-For header. It only takes the "real" client IP, which is always the Openshift HAProxy routers.
+# We can only use IP-based host authorization.
+
+order deny,allow
+deny from all
+#allow from .cern.ch
+# The list of all CERN networks. See https://landb.cern.ch/landb/portal/cernNetwork
+allow from 2001:1458::/32 2001:1459::/32 FD01:1458::/32 FD01:1459::/32 10.0.0.0/8 100.64.0.0/10 128.141.0.0/16 128.142.0.0/16 137.138.0.0/16 172.16.0.0/12 188.184.0.0/15 192.16.155.0/24 192.16.165.0/24 192.91.242.0/24 192.168.0.0/16 194.12.128.0/18
diff --git a/webeos-intranet-test-allow/index.html b/webeos-intranet-test/allow/index.html
similarity index 100%
rename from webeos-intranet-test-allow/index.html
rename to webeos-intranet-test/allow/index.html
diff --git a/webeos-intranet-test/deny/.htaccess b/webeos-intranet-test/deny/.htaccess
new file mode 100644
index 0000000000000000000000000000000000000000..ba7e1d0c280a8205d09aaf48167b4a5747fc8c4f
--- /dev/null
+++ b/webeos-intranet-test/deny/.htaccess
@@ -0,0 +1,6 @@
+# as per https://espace.cern.ch/webservices-help/websitemanagement/ConfiguringAFSSites/Pages/AccesscontrolonAFSsites.aspx
+# Using well-known dns.google IP 8.8.8.8 - requests from any host inside CERN should be denied
+
+order deny,allow
+deny from all
+allow from 8.8.8.8
diff --git a/webeos-intranet-test-deny/index.html b/webeos-intranet-test/deny/index.html
similarity index 100%
rename from webeos-intranet-test-deny/index.html
rename to webeos-intranet-test/deny/index.html
diff --git a/webeos-intranet-test/index.html b/webeos-intranet-test/index.html
new file mode 100644
index 0000000000000000000000000000000000000000..6b584e8ece562ebffc15d38808cd6b98fc3d97ea
--- /dev/null
+++ b/webeos-intranet-test/index.html
@@ -0,0 +1 @@
+content
\ No newline at end of file