Solved

Domain or Password access

Posted on 1998-10-26
15
195 Views
Last Modified: 2013-12-25
What would I need to do to set up a page that can be accessed by anyone from a certain set of IP address without a password but if coming from an IP outside of this group would require a password to be entered? I am giving 100 points for this because I need a detailed answer, I have not done any CGI programming, but do have a programming background in C, Pascal, and Cobol, have also done some basic HTML coding just to give ya an idea of how detailed ya have to be.
0
Comment
Question by:chrissimpson
  • 7
  • 5
  • 3
15 Comments
 
LVL 2

Expert Comment

by:WileyKat
ID: 1829279
A CGI for this would have to:

Check the evironment variable REMOTE_ADDR (getenv(REMOTE_ADDR); in C, $ENV{'REMOTE_ADDR'} in Perl).
See if that IP is in it's approved list.
If so, just directly output the page needed.
If not, ask for password and verify it.

More detailed:

The environment variable REMOTE_ADDR holds the IP of the browser accessing the CGI.
Checking if the IP is in the approved list requires having the list in a file, reading the file, and checking the IP against all the entries in the file.
Asking for the password involves outputting a forms HTML page with a submit button that leads back to the CGI, which then verifies the password.

I can write this script for you if you want, or just give you a more code-like explanation. Let me know.
0
 

Author Comment

by:chrissimpson
ID: 1829280
if ya could write the script it would be appreciated, I will add points if you do.
0
 

Author Comment

by:chrissimpson
ID: 1829281
if ya could write the script it would be appreciated, I will add points if you do.
0
 
LVL 2

Expert Comment

by:WileyKat
ID: 1829282
I'll get it to you ASAP.
0
 
LVL 11

Expert Comment

by:mouatts
ID: 1829283
The proper way of restrict access to certain IP addresses is via the server. All servers have configuration items that allow you to do this.

This is a much safer way of doing things as if you are running a CGI then people have already accessed your site and not just your server.

In addition some servers cannot have a CGI as the default page and therefore you need to direct them on the CGI with an HTML page. In addition you site is still not safe as any other pages or CGIs wil still be accessible unless you undertake a further check. (IE no HTML pages at all)

Let me know which server you are using and I maybe able to help further.

Steve
0
 

Author Comment

by:chrissimpson
ID: 1829284
The server is running LInux RH5.0, I don't want to restrict any IP address, but if it is certain ones I want them to be granted access without having to enter a password. If outside this group of allowed IP's I want it to prompt the user with a request for a password. This will not be my home page, but a page linked to by the home page.
0
 
LVL 2

Expert Comment

by:WileyKat
ID: 1829285
Steve: read the question more carefully. He does not want to restrict certain IPs, he wants to allow certain IPs. Furthermore, he does not want to completely deny all but the allowed IPs, just require a password from them. I know of no server that does this automatically, and a CGI makes modifying the allowed IP list much simpler.
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 11

Expert Comment

by:mouatts
ID: 1829286
A combination of IP/Domain based security and Basic/Digest security may work depending on the Web Server.

With the Oracle Web Server one would set up those that are not required to have a password as permissable IP addresses with an entry like 195.10.* (ie all those with subnet of 195.10 allowed) and then set up username and passwords for those who must log in. Then within the protection setting you would specifiy that you want to use ip OR basic security.

This way the user is only prompted if they are not from the correct IP address. I haven't looked but I think Netscape and Apache work the same way. IIS 3 doesn't and I'm not sure about IIS 4.

As no programming is required I would suggest that this is the simplest approach!


0
 
LVL 2

Expert Comment

by:WileyKat
ID: 1829287
Again, I state that using a CGI makes it simpler to modify the allowed IPs list. And who said that chrissimpson has access to the settings of the server he is running on? Without that access, the entire point is moot and a CGI is the only way.
0
 

Author Comment

by:chrissimpson
ID: 1829288
I do have admin access to the server, WileyKat, I still want to know how to do this with a CGI script but would also like to know how to do this the way mouatts described, ie. restrict ips at server level but allow them if they can log in. I am using RH Linux v.5.0 and apache web server, not sure which version but if it is important I can check it out. What are they logging into in this case, the server itself? or is there a way to put a password on the Apache Web server? I guess I am a little confused. Mouatts if you can or I guess anyone else who could leave a comment stating it and I will post the question for points.
0
 
LVL 2

Expert Comment

by:WileyKat
ID: 1829289
I'll post the CGI script as an answer to this question sometime this week and you can ask the server stuff as another question. That way we all learn both methods :-)
0
 
LVL 11

Expert Comment

by:mouatts
ID: 1829290
I'm no expert when it comes to configuring Apache but looking through the manual that I have does seem to imply that both basic and digest security is supported.

Essentially you need to set up a .htaccess file for each directory that you want to protect.

This file will need to contain some thing along the following lines

AuthType Digest
AuthName somedomain
AuthUserFile /web/users_ips
AuthGroupFile /web/groups
AuthType Basic
AuthName somedomain
AuthUserFile /web/users_pw
AuthGroupFile /web/groups

Some domain is just the realm name so that when a password pops up it will say 'enter username password for _somedomain_'

users_ips is a file that contains the valid IP addresses and users_pw contains the usernames/passwords for the other users.

I suggest that you check out the manual on these directives for fuller information.

Steve
0
 
LVL 2

Accepted Solution

by:
WileyKat earned 100 total points
ID: 1829291
Well, here's the script:

$grantedpage = "http://www.apple.com/ops.html";      # change this to the access granted page
$pwdchkpage = "http://www.apple.com/login.html"; # change this to the pwdchk page
$deniedpage = "http://www.apple.com/noaccess.html"; # change this to the access denied page

%udata = &User_Data;
&No_SSI(*data_received);

if ($udata{'action'} eq "openpage") {
      $approved = &Check_IP;
      if ($approved eq 1) {
            &Output_Redirect;
      } else {
            &Output_Password_Check;
      }
} else if ($udata{'action'} eq "verpwd") {
      $approved = &Check_Pwd;
      if ($approved eq 1) {
            &Output_Redirect;
      } else {
            &Output_Denied;
      }
}

sub User_Data {
      local (%udata, $ustring, $nvp, @nvps, $name, $value);
      
      if($ENV{'REQUEST_METHOD'} eq "POST") {
            read(STDIN, $ustring, $ENV{'CONTENT_LENGTH'});
      } else {
            $ustring = $ENV{'QUERY_STRING'};
      }
      
      $ustring =~ s/\+/ /g;
      @nvps = split(/&/, $ustring);
      foreach $nvp (@nvps) {
            ($name, $value) = split(/=/, $nvp);
            $name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/ge;
            $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/ge;
            if (defined($udata{$name})) {
                  $udata{$name} .= " : " . $value;
            } else {
                  $udata{$name} = $value;
            }
      }
      return %udata;
}

sub No_SSI {
      local (*data) = @_;
      
      foreach $key (sort keys(%data)) {
            $data{$key} =~ s/<!--(.|\n)*-->//g;
      }
}

sub Output_Redirect {
      print "HTTP 302 Redirect\n";
      print "Location: " . $grantedpage . "\n\n";
}

sub Output_Password_Check {
      print "HTTP 302 Redirect\n";
      print "Location: " . $pwdchkpage . "\n\n";
}

sub Check_IP {
      open(APPLIST, "<" . $approvedlistfile);
      @appips = <APPLIST>;
      close(APPLIST);
      $approved = 0;
      foreach $ip (@appips) {
            if ($ENV{'REMOTE_ADDR'} eq $ip) {
                  $approved = 1;
                  last;
            }
      }
      return $approved;
}

sub Check_Pwd {
      open(PWDS, "<" . $pwdfile);
      @pwds = <PWDS>;
      close(PWDS);
      foreach $lp (@pwds) {
            ($login, $pwd) = split(/:::/, $lp);
            $lps{$login} = $pwd;                  # Crypting code for the passwords could go here.
      }
      if ($lps{$udata{'login'}} eq undef) {
            $approved = 0;
      } else {
            if ($udata{'pwd'} ne $lps{$udata{'login'}}) { # another good place for crypting
                  $approved = 0;
            } else {
                  $approved = 1;
            }
      }
      return $approved;
}

sub Output_Denied {
      print "HTTP 302 Redirect\n";
      print "Location: " . $deniedpage . "\n\n";
}

and that's the whole thing. Catch ya later!
0
 

Author Comment

by:chrissimpson
ID: 1829292
Thanks WileyKat, appreciate the time you put in. Chris
0
 
LVL 2

Expert Comment

by:WileyKat
ID: 1829293
No problem, and you're welcome.
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
disabled AD accounts info 3 69
importing users to Security group 2 48
this script icacle doesn't work on remote computers. please help 11 55
copy-item script help 15 68
Ever wondered how to display how many visitors you have online. In this tutorial I will show you an easy but effective way to display the number of online visitors in WhizBase. In this article I assume you have read my previous articles and know …
Introduction:   Welcome to my first article ever. To begin with, the reason I write this article.  I participated in a question on Experts Exchange about the start command in Windows and there were some discussion about the usage. The discussio…
The viewer will learn how to dynamically set the form action using jQuery.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now