|
|
Can apache recognize referrer URLs?
|
|
|
|
Mac Elite
Join Date: Sep 2000
Status:
Offline
|
|
I currently have a web server that is sort of fake password protected. My university provides a way to authenticate against their LDAP server for pages hosted on their server only, but I need to protect pages on a different server. What I did is have the user log in using the school server and that loads a frameset off the school server (that document is protected) which loads the other web server's documents in a 100% frame (which is not protected). What I would like to do is have the apache server (apache on windows, don't ask) only allow access if the referrer URL is from the server itself or the school's web server. Is this possible? Thanks.
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Sep 2000
Location: Boston, MA
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Oct 1999
Location: :ИOITAↃO⅃
Status:
Offline
|
|
While possible, that's a fairly bad idea if you actually want the page to be secure. "REFERER" is sent by the user's browser, not by the web server itself; so a simple
curl --referer http://securepage.princeton.edu http://yourpage.princeton.edu will defeat referer protection.
Another idea might be this:
Make a script that runs on both the Princeton page and your own page. Have that script combine a password that you invent with the system time, to make a password (changing every minute) that the Princeton page and your page both know, but no one else will know.
If the user authenticates, have the Princeton page pass that secret code to your page. If the passed-in code matches what the secret code should be for that minute, let the user in.
I don't know if you're using Perl or PHP or a CGI or what; here's a version just using a shell command:
Code:
echo "mypassword>`date -u +'%Y-%m-%d %A %H:%M %Z'`" | md5
Shouldn't you be a senior by now? Hope things are going well.
Mithras
|
|
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Nov 2001
Location: Oregon
Status:
Offline
|
|
Check into the Apache Directory and Allow configuration directives. This allows access to the server to be restricted based on hostname, IP address, or environment variables.
You can do something like this:
Code:
<Directory "/">
Order Allow,Deny
Deny from all
Allow from princeton.edu
Allow from 10.0.0.1
</Directory>
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Sep 2000
Status:
Offline
|
|
Yea I know it wouldn't be secure. But we made a decision that it wasn't worth investing the resources into making the site password protected because nobody is really going to try that hard to get in. The one thing that I want to avoid is for people to realize the actual URLs of the files on the server by looking in their browser history (which shows up easily in IE).
I don't have perl, PHP, or anything like it on the apache windows server. When I get the time I will be moving it over to linux but I don't have the time right now. The PU webserver doesn't give us any server side scripting at all. There's campus cgi, which I don't know how to use thouhgh. Mithras, your idea seems way too complicated for what we need. And I'm a junior now.
I'm going to try that bandwidth stealing thing. The problem with the .htaccess files restricting by hostname is that I don't want to just limit people from a domain or IP address from accessing the site. I want peopel to be able to see the site from anywhere in the world, from any computer, so that really won't help. That's why I want to base it all on the referrer URL.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: May 2001
Status:
Offline
|
|
That information can be found very easy on the web and there's also a BIG folder with all the Apache documentation on your hd.
-
|
|
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Nov 2001
Location: Oregon
Status:
Offline
|
|
Originally posted by waffffffle:
The problem with the .htaccess files restricting by hostname is that I don't want to just limit people from a domain or IP address from accessing the site. I want peopel to be able to see the site from anywhere in the world, from any computer, so that really won't help. That's why I want to base it all on the referrer URL.
"Referer" is an environment variable, so you can use that rather than IP or domain, if you wish.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Sep 2000
Status:
Offline
|
|
OK, well I can't seem to find anything about it online that works. Could you explain to me how I would do this?
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Dec 2001
Location: Atlanta, GA, USA
Status:
Offline
|
|
Originally posted by waffffffle:
I currently have a web server that is sort of fake password protected. My university provides a way to authenticate against their LDAP server for pages hosted on their server only, but I need to protect pages on a different server.
Do you have access to the LDAP server? If so, why not just authenticate them against that?
|
Mac Pro 2x 2.66 GHz Dual core, Apple TV 160GB, two Windows XP PCs
|
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Nov 2001
Location: Oregon
Status:
Offline
|
|
Originally posted by waffffffle:
OK, well I can't seem to find anything about it online that works. Could you explain to me how I would do this?
If you follow the link i provided above (i.e. for Allow in the Apache doc's), you'll find:
The third format of the arguments to the Allow directive allows access to the server to be controlled based on the existence of an environment variable. When Allow from env=env-variable is specified, then the request is allowed access if the environment variable env-variable exists. The server provides the ability to set environment variables in a flexible way based on characteristics of the client request using the directives provided by mod_setenvif. Therefore, this directive can be used to allow access based on such factors as the clients User-Agent (browser type), Referer, or other HTTP request header fields.
Example:
Code:
SetEnvIf User-Agent ^KnockKnock/2.0 let_me_in
<Directory /docroot>
Order Deny,Allow
Deny from all
Allow from env=let_me_in
</Directory>
In this case, browsers with a user-agent string beginning with KnockKnock/2.0 will be allowed access, and all others will be denied.
You should look at that page rather than this excerpt, however, as it contains links for additional info.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: May 2001
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Jan 2003
Status:
Offline
|
|
If you have PHP on the school's server and want to make it really secure, you can send people to your site with an url containing a secret key that they only can get there. A good way to create such a key is the md5 function in PHP.
For example (on university server):
Code:
<?
$secret = md5($_SERVER["REMOTE_ADDR"] . "aSecretText");
echo "<frame src=\"http://yourcomp.athome.net/index.php?s=$secret\">";
?>
At home you could add the following to all your PHP files:
Code:
<?
$secret = $_GET["s"];
if ($secret != md5($_SERVER["REMOTE_ADDR"] . "aSecretText")) {
echo "You aint going nowhere buddy";
exit();
}
?>
(the rest of your secret page)
<a href="page2.php?s=<? echo $secret; ?>">Link to secret page 2</a>
(etc)
Ofcourse you have to prepend the "?s=xxxxx" thing to all the links. A cookie would work as well. The key only works for their IP address so they cannot inadvertently give the link out to others.
You could also upload a PHP script to the university that does the LDAP query and echo's 1 or 0 depending on the result. You could call this script at home with file("http://youruni/~you/ldapcheck.php?user=j3434&passwd=3434") plus in that way you will get all their passwords.
If you don't have PHP there, then I just wrote this for nothing, but I am procrastinating.... Apologies for typos, etc, etc.
glas
(
Last edited by glasn0st; Mar 30, 2003 at 07:16 PM.
)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|