Page 1 of 1

Apache htaccess - different htpasswd based on IP range

Posted: Tue Aug 22, 2006 5:17 am
by batfastad
Hi guys

I've been experimenting with the Allow, Deny and Satisfy directives in the configuration of our test-bed Windows 2000 Apache server.

Is it possible to vary the htpasswd file that's used based on the user's IP address??
I'm developing an intranet database interface and I only want certain users to be able to access the resources from outside the office, so I'd like to try and have a different htpasswd file for users in the office, and external users.

Anyone know if this is possible?
I'm using Apache/2.2.2 and PHP/5.2.0-dev on windows 2000

The whole thing is encrypted using OpenSSL and a self-signed certificate.
And our entire network is behind an IPCop box (with high-priority traffic shaping on the intranet port to guarantee availability for external users), and our ADSL modem..
But in terms of security, is htaccess authentication on windows apache up to the task??
I assume that htaccess is pretty damn secure even on windows, but I just want to make sure.


Thanks

Ben

Posted: Tue Aug 22, 2006 5:28 am
by jamiel
Look at the Limit Override and Allow

Posted: Tue Aug 22, 2006 5:53 am
by jamiel
To answer your question fully I believe that IP Restriction's on a user per user basis is out of the ability of HTTP Authentication.

Also HTTP Authentication with an SSL Certificate, is in most cases sufficient however is also an easy target for brute forcing.

Posted: Tue Aug 22, 2006 5:41 pm
by batfastad
Ok fair enough.

I just thought it might be possible to use a different htpasswd file depending on whether the user was 192.168.1. or if they were an external user.


In each of the scripts in the protected directory there's a config header PHP file that gets loaded at the top which detects whether the user has been granted the external access variable in the access rights array and just dies if there's any problems.

I was trying to make it so that the 5 users with external access are all in one htpasswd file - htpasswd-external
And all 12 users with internal access in htpasswd-internal
... obviously I'd have to have the external users all in htpasswd-internal as well

I tried to figure a combination of directives out from this
http://httpd.apache.org/docs/2.2/mod/mo ... _host.html
But couldn't really get anything working.

I am interested in your 2nd point - brute forcing.
This is one aspect I was worried about.
Obviously the down side of htaccess auth is that if incorrect, it's easy to repeat the command. Whereas with a full SQL and sessions auth system you can put flood controls on the logins.
Is there a way to prevent it??
A way to force a delay of 1 minute between logins by somehow affecting the user's environment variables?


Thanks for all your help

Ben

Posted: Wed Aug 23, 2006 3:51 am
by jamiel
I am not aware of any configuration options in Apache or any modules which allow for the throttling of HTTP Authentication. Perhap's someone else could shed some light on method's to prevent brute-force HTTP Authentication attacks.

Posted: Wed Aug 23, 2006 10:22 am
by timvw
I would make virtualhosts, one per ip/htaccess pair...

And then add to each of the virtualhosts a limit directive that points to the right htaccess file...

Posted: Wed Aug 23, 2006 11:30 am
by batfastad
Aha, so it is possible!

How do you do a virtualhost based on the visitors IP address?

I'd need one that includes all 192.168.1. range addresses, and another virtualhost that catches everyone else


Thanks

Ben