Apache htaccess - different htpasswd based on IP range

Need help installing PHP, configuring a script, or configuring a server? Then come on in and post your questions! We'll try to help the best we can!

Moderator: General Moderators

Post Reply
User avatar
batfastad
Forum Contributor
Posts: 433
Joined: Tue Mar 30, 2004 4:24 am
Location: London, UK

Apache htaccess - different htpasswd based on IP range

Post by batfastad »

Hi guys

I've been experimenting with the Allow, Deny and Satisfy directives in the configuration of our test-bed Windows 2000 Apache server.

Is it possible to vary the htpasswd file that's used based on the user's IP address??
I'm developing an intranet database interface and I only want certain users to be able to access the resources from outside the office, so I'd like to try and have a different htpasswd file for users in the office, and external users.

Anyone know if this is possible?
I'm using Apache/2.2.2 and PHP/5.2.0-dev on windows 2000

The whole thing is encrypted using OpenSSL and a self-signed certificate.
And our entire network is behind an IPCop box (with high-priority traffic shaping on the intranet port to guarantee availability for external users), and our ADSL modem..
But in terms of security, is htaccess authentication on windows apache up to the task??
I assume that htaccess is pretty damn secure even on windows, but I just want to make sure.


Thanks

Ben
jamiel
Forum Contributor
Posts: 276
Joined: Wed Feb 22, 2006 5:17 am
Location: London, United Kingdom

Post by jamiel »

Look at the Limit Override and Allow
jamiel
Forum Contributor
Posts: 276
Joined: Wed Feb 22, 2006 5:17 am
Location: London, United Kingdom

Post by jamiel »

To answer your question fully I believe that IP Restriction's on a user per user basis is out of the ability of HTTP Authentication.

Also HTTP Authentication with an SSL Certificate, is in most cases sufficient however is also an easy target for brute forcing.
User avatar
batfastad
Forum Contributor
Posts: 433
Joined: Tue Mar 30, 2004 4:24 am
Location: London, UK

Post by batfastad »

Ok fair enough.

I just thought it might be possible to use a different htpasswd file depending on whether the user was 192.168.1. or if they were an external user.


In each of the scripts in the protected directory there's a config header PHP file that gets loaded at the top which detects whether the user has been granted the external access variable in the access rights array and just dies if there's any problems.

I was trying to make it so that the 5 users with external access are all in one htpasswd file - htpasswd-external
And all 12 users with internal access in htpasswd-internal
... obviously I'd have to have the external users all in htpasswd-internal as well

I tried to figure a combination of directives out from this
http://httpd.apache.org/docs/2.2/mod/mo ... _host.html
But couldn't really get anything working.

I am interested in your 2nd point - brute forcing.
This is one aspect I was worried about.
Obviously the down side of htaccess auth is that if incorrect, it's easy to repeat the command. Whereas with a full SQL and sessions auth system you can put flood controls on the logins.
Is there a way to prevent it??
A way to force a delay of 1 minute between logins by somehow affecting the user's environment variables?


Thanks for all your help

Ben
jamiel
Forum Contributor
Posts: 276
Joined: Wed Feb 22, 2006 5:17 am
Location: London, United Kingdom

Post by jamiel »

I am not aware of any configuration options in Apache or any modules which allow for the throttling of HTTP Authentication. Perhap's someone else could shed some light on method's to prevent brute-force HTTP Authentication attacks.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

I would make virtualhosts, one per ip/htaccess pair...

And then add to each of the virtualhosts a limit directive that points to the right htaccess file...
User avatar
batfastad
Forum Contributor
Posts: 433
Joined: Tue Mar 30, 2004 4:24 am
Location: London, UK

Post by batfastad »

Aha, so it is possible!

How do you do a virtualhost based on the visitors IP address?

I'd need one that includes all 192.168.1. range addresses, and another virtualhost that catches everyone else


Thanks

Ben
Post Reply