I have always developed my projects using MAMP locally and once done simply uploaded everything to a live server. However, I'm wanting to integrate some FB functionality in my current project and I believe I'm correct in saying that it is not possible to fully test FB integration locally. My problem is I don't want to release the project I'm working on until it's finished (or at least nearly finished!) by placing it on a live server. I don't even want people to see a login screen or anything. Is there a way I can upload everything to my domain for testing purposes but prevent anyone apart from me from accessing the site?
It is possible to test almost everything (with quite rare exclusions) related to FB locally.
The only exceptions I can recall are:
Attachments to stream messages
Subscriptions
Btw, if there are another issues I forgot and you're experiencing - you can create test domain with such .htaccess in its root:
Order deny,allow
Deny from all
AuthName "Password"
AuthType Basic
AuthUserFile /path/to/.htpasswd
Require valid-user
Allow from 69.63.176.0/20
Satisfy Any
Where 69.63.176.0/20 equals to 69.63.176.0 - 69.63.191.255 and belongs to facebook and .htpasswd is a password file created with console utility htpasswd
htpasswd -c /path/to/.htpasswd musoNic80 // and enter password after
With such .htaccess everyone except of someone with facebook IP will be required to enter valid login/pass trough basic http auth.
Also, if you have dynamic but your own IP (given to only you once you logged in your pppoe (or whatever you use) session, and changes after you re-logged in) - you could use http://no-ip.org and have your local host to be shared outside, and available for facebook thus.
It's super simple, check out localtunnel and plug in the url to facebook. This will expose your computer to the net in a very limited way and will shut the tunnel when you chose to.
http://progrium.com/localtunnel/
I'm not sure if this works on Windows but I'm sure there's something similar.
Related
I've been developing a Symfony app (learning Symfony with the goal of replacing an existing "old school" PHP script with it) and am having an issue with putting it "behind" our Shibboleth authentication.
Why do that? For this app I need $_SERVER['REMOTE_USER']. The app doesn't have local accounts, the user doesn't log into the app, but, like many resources, we protect them with some form of authentication.
I have two sites - virtual hosts running on the same physical server. (CentOS 7). The first site has the following in its .htaccess file:
authtype shibboleth
ShibRequestSetting requireSession 1
require valid-user
I have a "phpinfo.php" file in there, too, and can run that script and, after the Shibboleth authentication step, get the output which includes the correct value of REMOTE_USER.
The other virtual host is set up as a Symfony 3.1 app. I've added those three lines to the top of its ".htaccess" file - but after going through the Shibboleth authentication step, the browser gets into a loop and goes no farther. (In Chrome, the 'favicon' is replaced with a looping arrow, and it never stops turning.)
If I hit and then view the source of this still-empty page, I see the following error message:
Error Message: Error decoding authentication request message
I'm not sure how to start to resolve this issue, and was hoping that someone has seen this and knows how to help.
Thanks.
Best,
Stephen
If I understand well, you are trying to make the Service Provider part in Symfony and you already have an IDP working with Shibboleth.
In my case I had also a similar problem and it was because after the Assertion the apache SP was returning to the root URL. I learnt after reading a lot of documentation that if this is not set correctly you can add an attribute in the shibbolet2.xml configuration called homeURL:
<ApplicationDefaults entityID="https://sso/saml2/idp/metadata.php"
REMOTE_USER="mail"
homeURL="https://symfonyApp/redirect/after/login">
Try it out and restart the shib daemon: /etc/init.d/shibd restart
It may be another as well. But it sounds to me that there is some misconfiguration in your SP side.
We're trying to implement a single-sign-on solution that integrates AD and a PHP web application. When a user tries to access the intranet website, this is what should happen:
The web app asks the server to read the AD credentials stored in the computer of a user already logged into windows/AD.
AD "passes the AD username to Apache"
Using PHP, I read the credentials stored -as I understand- in $_SERVER['PHP_AUTH_USER']
This is all meant to work only within an intranet. Outside it, We just display a login form.
We're somewhat stumped with this process. From other sources, we configured Apache with the following directives, but were ultimately unsuccessful, with an internal server error message and nothing on the error logs.
<Location "/">
Options -Indexes MultiViews FollowSymLinks
Order allow,deny
Allow from all
AuthType Basic
AuthName "VALIDAUTHNAME"
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPURL "ldap://IP.FOR.THE.SERVER:389/DC=MYCOMPANY,DC=CL?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "DC=MYCOMPANY,DC=MYCOUNTRY"
Require ldap-attribute gidNumber=10000
</Location>
Is there a clear explanation of the process we have to implement? We've read lots of stuff about the inverse process, passing credentials to AD, but not much about this case. Our sysadmins aren't really experienced in this, so they aren't of much help.
A few months ago, I did exatly what you're trying to do with mod_auth_nltm_winbind. The configuration of it isn't very difficult, but it helps to be familiar with winbind. Your sysadmins should be able to help with that if you aren't. winbind is a part of the samba package, so it's probably already installed on your server. Once you get winbind set up, you just need to enable the apache module and do a little bit of configuration. The site for the module should be able to guide you through it. When I originally set this up, I tested it with IE8, Chrome, and an older version of Firefox (5 or 6 maybe) and they all natively support the NTLM authentication. If everything is configured and working correctly, the apache module will automagically fill $_SERVER['PHP_AUTH_USER'] with the user name without needing any interaction with the user and you can do whatever you want to with it from there. There is a lot more documentation available now and even with the lacking documentation before, I only had one major problem for which a fix is now well documented.
I have a server which is online right now, but requires authentication when accessing, so it is basically closed to everyone but me.
Thing is, I don't want to "Open" the website to the public, but I need to test my website on different browsers.
One way is to do it from websites like browsershots.org, which requires access to my website. But my website is "closed" (requires authentication) from anyone except me.
I have these lines in my apache2.conf (or httpd.conf as it also is known as):
<Directory /var/www>
AuthType Basic
AuthName "Some name"
AuthUserFile "dir/to/some/file"
Require user some_user
</Directory>
These above allows only access to somebody with username "some_user" and a passwords which is located in "dir/to/some/file".
Now, is there any way to give access to the website from a host also?
My problem is like I said, when trying to cross-browser check my website from sites which requires an URL to my website, they are all blocked because of the authentication I have.
Do I have to turn off the authentication in order to be able to cross-browser check?
Thanks
If you could verify what IP address they would be hitting your website from, you could use a combination of the Allow and Deny directives to make sure that only requests originating from browsershots.org's IP address get through.
http://httpd.apache.org/docs/2.0/mod/mod_access.html
You can create a page that shows the visitors IP, visit your site from browsershots.org, then use that in your apache config.
What about if you removed the authentication, but then added PHP code to restrict access by IP, so that the site was only accessible from your own computer? Would that work for your purposes? Something like this:
http://www.wmtips.com/php/simple-ways-restrict-access-webpages-using.htm#ip
Edit: sjobe has the better plan. Same idea, but that way you can still let BrowserShots do the work.
We have a sharepoint instance on our network that we get automatically logged into by logging into Windows. (they do not get prompted to log in)
We have another web application that requires users to log in but it currently has it's own username/password setup.
Our goal is to get the other application (which we have built) to act the same way sharepoint does - if you are logged into windows it will log you right into the application.
Where do I start? (I assume this will require LDAP)
Any guidance would be greatly appreciated.
Our setup (windows):
Windows
IE7 & 8
Windows Active Directory managing users/password
Our setup (the other application):
RHEL (could be Windows Server if really necessary)
PHP 5
Apache
mySQL - username and password are stored in mySQL
Update:
Maybe a drawing would help: Look at this
You are looking to implement NTLM Authentication in the PHP application, see my prior answer on this:
Can a PHP intranet share Windows logins?
If your other web application uses Windows Integrated Authentication (NTLM or Kerberos authentication or even basic authentication) then it can act the same way. Depending on the browser, it can automatically remember and log into sites using one of these methods. Each browser may do it differently, though. IE has settings for automatically logging in based on the zone (Internet, Local intranet, trusted sites).
You would not necessarily need to have the have your other application use the same user store (AD/LDAP), but it would likely make sense.
I'm vaguely aware that on a computer joined to a domain IE can be asked to send some extra headers that I could use to automatically sign on to an application. I've got apache running on a windows server with mod_php. I'd like to be able to avoid the user having to log in if necessary. I've found some links talking about Kerberos and Apache modules.
http://www.onlamp.com/pub/a/onlamp/2003/09/11/kerberos.html?page=last
https://metacpan.org/pod/Apache2::AuthenNTLM
Since I'm running on Windows it's proven to be non-trivial to get Perl or Apache modules installed. But doesn't PHP already have access to HTTP headers?
I found this but it doesn't do any authentication, it just shows that PHP can read the NTLM headers.
http://siphon9.net/loune/2007/10/simple-lightweight-ntlm-in-php/
I'd like to be able to have my users just point to the application and have them automatically authenticated. Has anyone had any experience with this or gotten it to work at all?
UPDATE
Since originally posting this question, we've changed setups to nginx and php-fcgi still running on windows. Apache2 and php-cgi on windows is probably one of the slowest setups you could configure on windows. It's looking like Apache might still be needed (it works with php-fcgi) but I would prefer a nginx solution.
I also still don't understand (and would love to be educated) why HTTP server plugins are necessary and we can't have a PHP, web server agnostic solution.
All you need is the mod_auth_sspi Apache module.
Sample configuration:
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain mydomain
# Set this if you want to allow access with clients that do not support NTLM, or via proxy from outside. Don't forget to require SSL in this case!
SSPIOfferBasic On
# Set this if you have only one domain and don't want the MYDOMAIN\ prefix on each user name
SSPIOmitDomain On
# AD user names are case-insensitive, so use this for normalization if your application's user names are case-sensitive
SSPIUsernameCase Lower
AuthName "Some text to prompt for domain credentials"
Require valid-user
And don't forget that you can also use Firefox for transparent SSO in a Windows domain: Simply go to about:config, search for network.automatic-ntlm-auth.trusted-uris, and enter the host name or FQDN of your internal application (like myserver or myserver.corp.domain.com). You can have more than one entry, it's a comma-separated list.
I'd be curious about a solution that uses OpenID as a backend (of sorts) for this... I wasn't seeing anything that would hook into ActiveDirectory directly when I googled (quickly). However, it could be pretty painless to implement over plain HTTP(S) (you'd be an OpenID provider that checked credentials against your local AD). In a best case scenario, you might be able to just add a couple classes to your app and be off and running -- no web server modules required. There is a lot of open source code out there for either side of this, so if nothing else, it's worth taking a look. If you exposed the backend to the users (i.e. gave them OpenID URLs), you'd have the added benefit of them being able to log in to more than just your internal sites using these credentials. (Example: Stack Overflow.)
As an aside, I'd be against making it so that Internet Explorer is required. I'm not sure if that is the goal from the way you wrote the question, but depending on your IT environment, I'd expect people who use Firefox or Safari (or Opera or ...) to be less than enthusiastic. (You're not developing against IE first, are you? That's been painful whenever I've done so.) This is not to say that you couldn't use this feature of IE, just that it shouldn't be the only option. The link you posted stated that NTLM worked with more than IE, but since I don't have any experience with it, it's hard to judge how well that would work.
I had a similar problem which I needed to solve for my organization.
I was looking into using adLDAP.
There is some documentation on the site for achieving seamless authentication with Active Directory too.
One option for you is to use CAS (central authentication service).
It has php client library.
How-to link to MS Active Directory: http://www.ja-sig.org/wiki/display/CASUM/Active+Directory
You would require Apache maven 2 though.
For IIS/PHP FCGI, You need to send out an unauthorized header:
function EnableAuthentication()
{
$realm = "yoursite";
header('WWW-Authenticate: Digest realm="'.$realm.'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
header("HTTP/1.1 401 Unauthorized");
exit;
}
You can then get at the username with:
$winuser = $_SERVER["REMOTE_USER"];
I then make sure the $winuser is in my database of allowed users.
Be SURE and test this under a non-privileged account. When I first installed this I tested it and it worked fine, but later when a standard non-server-admin user tried it this failed. Turns out some of the temporary directories need to have permissions changed for guest users. I can't recall the exact settings.