So, here's my scenario:
I have a site where I can stream a live video feed from. The site is hosted using Apache, PHP, and MySQL. Users can log in to get access to the site through accounts stored in a mysql db. When going to the page where a user can actually watch the stream, the site is using jwplayer to load() a specific URL. The stream itself comes from an internal server process on another port. However, due to jwplayer being instantiated on the client side, I must pass a URL to it that is accessible remotely. For right now, I'm using Apache ProxyPass to proxy this url to the internal server process and that works just fine. The problem is that anyone could simply type in this url passed to jwplayer into VLC (as an example) and get the stream no problem.
Is there a way I can "proxy" a request to the internal server process using PHP where I can first authenticate the current user from the mysql db?
I've tried using Basic Apache Auth on the specific url path and that DOES prompt for a basic auth username and password. That works to prevent someone from hot-linking to my stream in VLC. However, I don't want users to have to use the basic auth login style and I'd like to continue using my mysql db authentication system. Is there a simple way that I can authenticate a user for the Apache Basic auth from a successful login to a PHP page?
Thanks.
Related
I've built a Slack App for our team.
I was able to create a Slack Button and used that to authorize the app with oauth.access
My Slack App adds a Slash Command to a channel in Slack
So far so good.
The Slash Command needs a Request URL which is simply the page that will receive the slash command payload and optionally, send a response back to the Slack channel.
Here's the rub, the server that host the page I need to use for the Request URL is on our internal network and only accessible to users on our VPN.
Our main site accessible to the world at, https://example.com
The server on which this page is hosted is at, https://slack.example.com which is only accessible to users on our VPN (both are apache 2.4 servers)
Anyone not on the VPN that requests slack.example.com is instead served https://example.com
It is not possible for me to move the php page to a server that is accessible outside our VPN (it's part of a larger application that can't be moved) but I can add a php page the serve that hosts https://example.com.
I'm thinking that I might be able to add a php page to example.com that could act as a proxy recieving messages from slack.com, passing them to slack.example.com then getting the response from slack.example.com and sending that response back to slack.com.
Is this possible, and if so, how would I go about it? I'm open to other solutions as well, possibly using Apache to do the proxying?
I would run the request page on a separate server in your DMZ functioning as proxy to the internal application server. Here is a brief description:
The php script for the request url (=request page) needs to be accessible to the public internet, so that Slack can call it. I would put it on a separate server and I would put that server in the DMZ of your company. That is usually the best place for servers that need to be accessible from the outside, but also need to access servers on the inside of your company. Make sure to use SSL and the verification token to secure your calls from Slack.
The request page can run on a small server and will need to have a webserver (e.g. apache) and php. If you planning to have more complex requests you may also need a database. It will also need to run SSL, so you will need a certificate. You can also use your existing webserver to the outside (example.com) if is meets these requirements.
The request page needs to have access to your application server, e.g. via VPN. It would need to function as proxy: receive the request from Slack, make requests to the application server based on the specifics of the slash command and then return the info back to Slack.
Another important point is user authentication. I read from your question that not all users on your Slack team should have access to the application server, so your request script needs to have a method to distinguish which users are allowed access and which are not. It would be easiest, if these users could be identified by membership of a specific Slack group. In any case you probably would need an additional bot that ensures mapping of Slack users to VPN users.
On my local server I have written a script that takes a username & password and confirms it is valid against my LDAP server.
I have a web site professionally hosted on a remote server. I have a CMS on the remote server and I would like users to use their LDAP credentials to gain access to that CMS.
My plan is to have a login form on the remote server. The form will POST the username/password to itself using https. It will then use CURL to POST the username/password again but this time across the internet to my local server, again using https. My local server will be setup to provide a simple "TRUE" or "FALSE" as a response. If the remote server gets back TRUE, session variables are set to permit access.
Security-wise, is this a safe practise. Should I consider another way?
note: I'm not particularly proficient with cURL but I think I can figure out how to do the above.
LDAP - Lightweight active directory protocol which is used to communicate with your active directory server.
LDAP is there only to authenticate & access AD server in most secure way.
Here is the solution for problem :
Customize existing login functionality of your CMS in a way like - If user his details check with AD server using LDAP whether user is exist in AD, if yes update his credential to your DB(Also keep flag that user is AD enabled), if user is present is AD & not there in your DB create that one.
Likewise after some time al your user from AD server will migrate to your DB & you are not required to keep seperate application to for user migration.
Also every time authenticating with AD is best to provide security but its all up to you, because after migration of all user you can remove this functionaity.
I have a bucket with files in it in AS3. I have access to the PHP API and a server that can send requests to Amazon on command.
What I want to do is grant access to a file in my bucket using an HTTP GET/POST request. From what I understand using this function:
get_object_url ( $bucket, $filename, $preauth, $opt )
I can make the file publicly accessible for the $preauth amount of time at a given URL. I don't want to do that, I want the file to be privately available at a URL with required POST or GET credentials (deciding who can access the file would be based on a database containing application 'users' and their permissions). I understand the security implications of passing any kind of credentials over GET or POST on a non-HTTPS connection.
Is this possible? I could just download the file from AS3 to my server for the extent of the transaction then do all the controls on my own box, but that's an expensive solution (two file downloads instead of one, when my server shouldn't have had to do a download at all) to a seemingly easy problem.
The short answer is no.
You could look at Amazons IAM for some more ways to secure the content especially in conjunction with Cloudfront but essentially there is no way to provide access to content by passing along a username and password.
Of course, if you are already authenticating users on your site, then you can only supply the signed url to those users. The url only has to be valid at the time the user initiates the download and not for the entire duration of the download.
Also, if you intend to use your server as a proxy between S3 and the user you'll be removing a lot of the benefits of using S3 in the first place. But you could use EC2 as the server to remove the extra cost you mentioned - transfers between S3 and EC2 are free.
Not sure this is possible but...
What I would like to do is to use ASP.NET impersonation to authenticate a Flash app as a user in IIS so that the file dependencies related to the flash file ( XML config files, and PHP API calls ) are not anonymously accessible when users try to access them directly through the URL. So, instead of displaying the contents of an XML config file, it should tell the unauthenticated user they do not have permission to view the file.
Is this possible? Right now I'm looking into request headers and the settings in IIS for authentication.
So I found out how to use Basic Authentication through help posted here. The problem I'm running into is that even though the flash app sends the appropriate request. Which is handled fine in FF, Chrome, and Safari. It still displays the login pop-up box for Opera and IE. Does anyone know why IE and Opera behave differently with Basic Authentication?
Any help on this would be greatly appreciated.
use ASP.NET impersonation to authenticate a Flash app as a user in IIS
Assuming I understood your post correctly:
If your intent is to protect some file from unauthorized access, you should check if the solutions provided actually do so. Flash is a client side plug-in, and therefore its communication with the server (side) can be inspected using readily available tools (Safari/Chrome/IE developer tools, Firebug, etc). So if Flash is a "user" and you hard-code its authentication, it would be trivial to inspect that (http) request and "see" the data being passed....
On the other hand, if you are saying you want to incorporate a user login (each user will have to provide credentials) and then have that communicate with your server side authentication scheme then it would be fine (just like any other browser based login scheme).
so what i am trying to do is this:
login to the other server with a PHP on my own server (either with my username and pass/or with my cookies)
then have access to the page i want to display/download
i want to write a PHP script that is located on my own server, that automatically does a login to another server, that uses HTTPS and a web form for login.
after the login i have access to that page that i am trying to download.
i dont know if it would be possible to login and download the html only with the cookies that i have in my browser through a previous login, or if i need to do the login in my php script through some https login method.
can i do any of this with curl or fsocksopen or what would be the best way to realize this?
thanks in advance!
you just have to try. in most cases you should be fine if you export your cookies and use them in your curl request.
however the website mave hashed the cookies with the remote address, or given a timeout on them.
then you probably have to login from the server. with php / curl you can do that all.
the only thing that may be a problem is javascript/captcha codes.
in addition you should definately check zend http client, it has functionalities that makes "browsing" easy. for example saving cookies and automatically passing them on in the next request and also deleting them if the server tells you so etc.
Use the PEAR HTTP Request class.