Solved

Domain or Password access

Posted on 1998-10-26
15
194 Views
Last Modified: 2013-12-25
What would I need to do to set up a page that can be accessed by anyone from a certain set of IP address without a password but if coming from an IP outside of this group would require a password to be entered? I am giving 100 points for this because I need a detailed answer, I have not done any CGI programming, but do have a programming background in C, Pascal, and Cobol, have also done some basic HTML coding just to give ya an idea of how detailed ya have to be.
0
Comment
Question by:chrissimpson
  • 7
  • 5
  • 3
15 Comments
 
LVL 2

Expert Comment

by:WileyKat
ID: 1829279
A CGI for this would have to:

Check the evironment variable REMOTE_ADDR (getenv(REMOTE_ADDR); in C, $ENV{'REMOTE_ADDR'} in Perl).
See if that IP is in it's approved list.
If so, just directly output the page needed.
If not, ask for password and verify it.

More detailed:

The environment variable REMOTE_ADDR holds the IP of the browser accessing the CGI.
Checking if the IP is in the approved list requires having the list in a file, reading the file, and checking the IP against all the entries in the file.
Asking for the password involves outputting a forms HTML page with a submit button that leads back to the CGI, which then verifies the password.

I can write this script for you if you want, or just give you a more code-like explanation. Let me know.
0
 

Author Comment

by:chrissimpson
ID: 1829280
if ya could write the script it would be appreciated, I will add points if you do.
0
 

Author Comment

by:chrissimpson
ID: 1829281
if ya could write the script it would be appreciated, I will add points if you do.
0
 
LVL 2

Expert Comment

by:WileyKat
ID: 1829282
I'll get it to you ASAP.
0
 
LVL 11

Expert Comment

by:mouatts
ID: 1829283
The proper way of restrict access to certain IP addresses is via the server. All servers have configuration items that allow you to do this.

This is a much safer way of doing things as if you are running a CGI then people have already accessed your site and not just your server.

In addition some servers cannot have a CGI as the default page and therefore you need to direct them on the CGI with an HTML page. In addition you site is still not safe as any other pages or CGIs wil still be accessible unless you undertake a further check. (IE no HTML pages at all)

Let me know which server you are using and I maybe able to help further.

Steve
0
 

Author Comment

by:chrissimpson
ID: 1829284
The server is running LInux RH5.0, I don't want to restrict any IP address, but if it is certain ones I want them to be granted access without having to enter a password. If outside this group of allowed IP's I want it to prompt the user with a request for a password. This will not be my home page, but a page linked to by the home page.
0
 
LVL 2

Expert Comment

by:WileyKat
ID: 1829285
Steve: read the question more carefully. He does not want to restrict certain IPs, he wants to allow certain IPs. Furthermore, he does not want to completely deny all but the allowed IPs, just require a password from them. I know of no server that does this automatically, and a CGI makes modifying the allowed IP list much simpler.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 11

Expert Comment

by:mouatts
ID: 1829286
A combination of IP/Domain based security and Basic/Digest security may work depending on the Web Server.

With the Oracle Web Server one would set up those that are not required to have a password as permissable IP addresses with an entry like 195.10.* (ie all those with subnet of 195.10 allowed) and then set up username and passwords for those who must log in. Then within the protection setting you would specifiy that you want to use ip OR basic security.

This way the user is only prompted if they are not from the correct IP address. I haven't looked but I think Netscape and Apache work the same way. IIS 3 doesn't and I'm not sure about IIS 4.

As no programming is required I would suggest that this is the simplest approach!


0
 
LVL 2

Expert Comment

by:WileyKat
ID: 1829287
Again, I state that using a CGI makes it simpler to modify the allowed IPs list. And who said that chrissimpson has access to the settings of the server he is running on? Without that access, the entire point is moot and a CGI is the only way.
0
 

Author Comment

by:chrissimpson
ID: 1829288
I do have admin access to the server, WileyKat, I still want to know how to do this with a CGI script but would also like to know how to do this the way mouatts described, ie. restrict ips at server level but allow them if they can log in. I am using RH Linux v.5.0 and apache web server, not sure which version but if it is important I can check it out. What are they logging into in this case, the server itself? or is there a way to put a password on the Apache Web server? I guess I am a little confused. Mouatts if you can or I guess anyone else who could leave a comment stating it and I will post the question for points.
0
 
LVL 2

Expert Comment

by:WileyKat
ID: 1829289
I'll post the CGI script as an answer to this question sometime this week and you can ask the server stuff as another question. That way we all learn both methods :-)
0
 
LVL 11

Expert Comment

by:mouatts
ID: 1829290
I'm no expert when it comes to configuring Apache but looking through the manual that I have does seem to imply that both basic and digest security is supported.

Essentially you need to set up a .htaccess file for each directory that you want to protect.

This file will need to contain some thing along the following lines

AuthType Digest
AuthName somedomain
AuthUserFile /web/users_ips
AuthGroupFile /web/groups
AuthType Basic
AuthName somedomain
AuthUserFile /web/users_pw
AuthGroupFile /web/groups

Some domain is just the realm name so that when a password pops up it will say 'enter username password for _somedomain_'

users_ips is a file that contains the valid IP addresses and users_pw contains the usernames/passwords for the other users.

I suggest that you check out the manual on these directives for fuller information.

Steve
0
 
LVL 2

Accepted Solution

by:
WileyKat earned 100 total points
ID: 1829291
Well, here's the script:

$grantedpage = "http://www.apple.com/ops.html";      # change this to the access granted page
$pwdchkpage = "http://www.apple.com/login.html"; # change this to the pwdchk page
$deniedpage = "http://www.apple.com/noaccess.html"; # change this to the access denied page

%udata = &User_Data;
&No_SSI(*data_received);

if ($udata{'action'} eq "openpage") {
      $approved = &Check_IP;
      if ($approved eq 1) {
            &Output_Redirect;
      } else {
            &Output_Password_Check;
      }
} else if ($udata{'action'} eq "verpwd") {
      $approved = &Check_Pwd;
      if ($approved eq 1) {
            &Output_Redirect;
      } else {
            &Output_Denied;
      }
}

sub User_Data {
      local (%udata, $ustring, $nvp, @nvps, $name, $value);
      
      if($ENV{'REQUEST_METHOD'} eq "POST") {
            read(STDIN, $ustring, $ENV{'CONTENT_LENGTH'});
      } else {
            $ustring = $ENV{'QUERY_STRING'};
      }
      
      $ustring =~ s/\+/ /g;
      @nvps = split(/&/, $ustring);
      foreach $nvp (@nvps) {
            ($name, $value) = split(/=/, $nvp);
            $name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/ge;
            $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/ge;
            if (defined($udata{$name})) {
                  $udata{$name} .= " : " . $value;
            } else {
                  $udata{$name} = $value;
            }
      }
      return %udata;
}

sub No_SSI {
      local (*data) = @_;
      
      foreach $key (sort keys(%data)) {
            $data{$key} =~ s/<!--(.|\n)*-->//g;
      }
}

sub Output_Redirect {
      print "HTTP 302 Redirect\n";
      print "Location: " . $grantedpage . "\n\n";
}

sub Output_Password_Check {
      print "HTTP 302 Redirect\n";
      print "Location: " . $pwdchkpage . "\n\n";
}

sub Check_IP {
      open(APPLIST, "<" . $approvedlistfile);
      @appips = <APPLIST>;
      close(APPLIST);
      $approved = 0;
      foreach $ip (@appips) {
            if ($ENV{'REMOTE_ADDR'} eq $ip) {
                  $approved = 1;
                  last;
            }
      }
      return $approved;
}

sub Check_Pwd {
      open(PWDS, "<" . $pwdfile);
      @pwds = <PWDS>;
      close(PWDS);
      foreach $lp (@pwds) {
            ($login, $pwd) = split(/:::/, $lp);
            $lps{$login} = $pwd;                  # Crypting code for the passwords could go here.
      }
      if ($lps{$udata{'login'}} eq undef) {
            $approved = 0;
      } else {
            if ($udata{'pwd'} ne $lps{$udata{'login'}}) { # another good place for crypting
                  $approved = 0;
            } else {
                  $approved = 1;
            }
      }
      return $approved;
}

sub Output_Denied {
      print "HTTP 302 Redirect\n";
      print "Location: " . $deniedpage . "\n\n";
}

and that's the whole thing. Catch ya later!
0
 

Author Comment

by:chrissimpson
ID: 1829292
Thanks WileyKat, appreciate the time you put in. Chris
0
 
LVL 2

Expert Comment

by:WileyKat
ID: 1829293
No problem, and you're welcome.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

The following is a collection of cases for strange behaviour when using advanced techniques in DOS batch files. You should have some basic experience in batch "programming", as I'm assuming some knowledge and not further explain the basics. For some…
In this tutorial I will show you how to make a simple HTML bar chart with the usage of WhizBase, If you want more information about WhizBase please read my previous articles at http://www.experts-exchange.com/ARTH_5123186.html (http://www.experts-ex…
Learn the basics of lists in Python. Lists, as their name suggests, are a means for ordering and storing values. : Lists are declared using brackets; for example: t = [1, 2, 3]: Lists may contain a mix of data types; for example: t = ['string', 1, T…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now