Welcome to WebmasterWorld Guest from 54.196.144.100

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

password protection depending on client IP

free access from the intranet

     

Oliver Henniges

1:46 pm on Dec 7, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



My warehouse management is running on a selfmade XAMP-framework in my intranet.

I'd like to get access from outside as well by forwarding my router's port 80 to the main-server, but of course this is a serious security-hole.

Are there any easy means to configure my apache server in such a way that any request from outside the 192.168.#*$!.#*$!-IP-range will only be served after a login procedure, whereas my employees will get access without it?

coopster

2:06 pm on Dec 7, 2010 (gmt 0)

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Have you considered a router with a VPN tunnel instead? They are quite inexpensive and by far a much better solution.

jdMorgan

2:44 pm on Dec 7, 2010 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member



If the better VPN router solution isn't feasible, see mod_access "Order Deny, Allow" and "Allow from <IP address range>", and the Apache core "Require" and "Satisfy Any" directives. Using these four pieces, it is possible to construct a situation where users from particular IP address ranges are allowed to access the site directly, while users outside those ranges must use HTTP Authentication/Authorization to log in.

There is a decent "app note" on authentication and authorization on the apache.org Web site.

Jim

Oliver Henniges

11:37 am on Dec 8, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Thx for your help guys, very much appreciated.

Minutes after sending my post I found a relatively deep explanation under httpd.apache.org/docs/1.3/howto/auth.html

However, I did not really succeed, yet.

I think I successfully created a user file with htdigest.
Access is also blocked from outside,whereas intranet works fine.

But if I try to add lines allowing a password-protected request from external IPs, something goes wrong.
This is my syntax for the <directory>-options, which doeas not work (the apache server refuses to start at all):

<Directory "C:/pathto/htdocs">
AuthType Digest
AuthName "myrealm"
AuthDigestFile /bin/digest
Require user root
Order deny,allow
Deny from all
Allow from 192.168
</Directory>

What's wrong with this?

@coopster: I will think about the VPN-tunnel-idea but for the time being I'd just like to refine my understanding of the way apache works.

jdMorgan

1:51 pm on Dec 8, 2010 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member



You missed the "Satisfy" directive that I cited above. It's the key to allowing the IP address range to override the login requirement...

See the "Satisfy" directive in Apache core docs.

Jim