I have a server which is online right now, but requires authentication when accessing, so it is basically closed to everyone but me.
Thing is, I don't want to "Open" the website to the public, but I need to test my website on different browsers.
One way is to do it from websites like browsershots.org, which requires access to my website. But my website is "closed" (requires authentication) from anyone except me.
I have these lines in my apache2.conf (or httpd.conf as it also is known as):
<Directory /var/www>
AuthType Basic
AuthName "Some name"
AuthUserFile "dir/to/some/file"
Require user some_user
</Directory>
These above allows only access to somebody with username "some_user" and a passwords which is located in "dir/to/some/file".
Now, is there any way to give access to the website from a host also?
My problem is like I said, when trying to cross-browser check my website from sites which requires an URL to my website, they are all blocked because of the authentication I have.
Do I have to turn off the authentication in order to be able to cross-browser check?
Thanks
If you could verify what IP address they would be hitting your website from, you could use a combination of the Allow and Deny directives to make sure that only requests originating from browsershots.org's IP address get through.
http://httpd.apache.org/docs/2.0/mod/mod_access.html
You can create a page that shows the visitors IP, visit your site from browsershots.org, then use that in your apache config.
What about if you removed the authentication, but then added PHP code to restrict access by IP, so that the site was only accessible from your own computer? Would that work for your purposes? Something like this:
http://www.wmtips.com/php/simple-ways-restrict-access-webpages-using.htm#ip
Edit: sjobe has the better plan. Same idea, but that way you can still let BrowserShots do the work.
Related
I'm not even sure if this is possible or if I'm explaining it right but I'll give it a shot.
So basically I'm creating a web application using Javascript, HTML, CSS, SQL and PHP. I'm pretty new to backend web development, though everything is going great so far. Things are working exactly how I planned and I'm pretty proud of myself.
I have multiple users and when you go to their profile (domain.com/user/1) it displays all their info. This works the same for domain.com/user/2, domain.com/user/3 and so on.
What I'm trying to do is allow users to point their domain/subdomain to a CNAME (such as verify.mydomain.com) which allows them to connect their subdomain/domain to the web application so that it displays the same as what domain.com/user/1 does.
For example, user1 can use their domain profile.mydomain.com and it displays what domain.com/user/1 does but keeping the subdomain rather than a redirect.
If anyone has any suggestions at all on how I can do this please let me know!
Sorry about my English!
I'm not sure if you are using a self-host or a shared-host, but to solve it, you need to make some configurations(no worry, they are easy):
#1. DNS
By default your DNS server has some record like:
100.100.100.100 www.mywebsite.com
so, you need to change it to somethink like:
* .mywebsite.com
Please check if this configuration can cause some problem (I don't know if you have another application is this domain)
#2. WebServer
If you are using Apache as webserver you only need to add/change "ServerAlias" directive and the VirtualHost name (if necessary) to somethink like:
<VirtualHost test.local:80>
DocumentRoot "YOUR_APP_PATH"
ServerName test.local
ServerAlias *.test.local
</VirtualHost>
Now all subdomains(test.com, www.test.com and user1.test.com) will be redirect to some app directory.
3#. Your APP
Now you need to adjust your application logic to understand the URL and make the necessary requests.
Setup
Server: Apache 2.2.
I do have access to httpd.conf, but in case necessary the solution can be using .htaccess
The goal:
To permit directory listing only in case the request comes from a specific URL.
So only if user abled to access a specific URL in my site he/she will be able to access this directory.
Currently I only have this configuration that allows all to access this directory:
<Directory "/home/myaccount/app/Ui/policies/gray_list">
Options Indexes FollowSymLinks
</Directory>
It is possible to evaluate the ReferrerURI for this (you said requests coming from a specific url, so a page offering a link), however note that this is not reliable. The ReferrerURI is a simple http header, thus it is very easy to manipulate / spoof that.
The only reliable approach to this is using session handling. So enforcing some kind of authentication to the referring page and only grant a directory listing if the authentication process protecting the referring page has led to a valid session. This has to be done on scripting level though, I am not aware of a straight forward approach using apache features only.
We're trying to implement a single-sign-on solution that integrates AD and a PHP web application. When a user tries to access the intranet website, this is what should happen:
The web app asks the server to read the AD credentials stored in the computer of a user already logged into windows/AD.
AD "passes the AD username to Apache"
Using PHP, I read the credentials stored -as I understand- in $_SERVER['PHP_AUTH_USER']
This is all meant to work only within an intranet. Outside it, We just display a login form.
We're somewhat stumped with this process. From other sources, we configured Apache with the following directives, but were ultimately unsuccessful, with an internal server error message and nothing on the error logs.
<Location "/">
Options -Indexes MultiViews FollowSymLinks
Order allow,deny
Allow from all
AuthType Basic
AuthName "VALIDAUTHNAME"
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPURL "ldap://IP.FOR.THE.SERVER:389/DC=MYCOMPANY,DC=CL?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "DC=MYCOMPANY,DC=MYCOUNTRY"
Require ldap-attribute gidNumber=10000
</Location>
Is there a clear explanation of the process we have to implement? We've read lots of stuff about the inverse process, passing credentials to AD, but not much about this case. Our sysadmins aren't really experienced in this, so they aren't of much help.
A few months ago, I did exatly what you're trying to do with mod_auth_nltm_winbind. The configuration of it isn't very difficult, but it helps to be familiar with winbind. Your sysadmins should be able to help with that if you aren't. winbind is a part of the samba package, so it's probably already installed on your server. Once you get winbind set up, you just need to enable the apache module and do a little bit of configuration. The site for the module should be able to guide you through it. When I originally set this up, I tested it with IE8, Chrome, and an older version of Firefox (5 or 6 maybe) and they all natively support the NTLM authentication. If everything is configured and working correctly, the apache module will automagically fill $_SERVER['PHP_AUTH_USER'] with the user name without needing any interaction with the user and you can do whatever you want to with it from there. There is a lot more documentation available now and even with the lacking documentation before, I only had one major problem for which a fix is now well documented.
I have always developed my projects using MAMP locally and once done simply uploaded everything to a live server. However, I'm wanting to integrate some FB functionality in my current project and I believe I'm correct in saying that it is not possible to fully test FB integration locally. My problem is I don't want to release the project I'm working on until it's finished (or at least nearly finished!) by placing it on a live server. I don't even want people to see a login screen or anything. Is there a way I can upload everything to my domain for testing purposes but prevent anyone apart from me from accessing the site?
It is possible to test almost everything (with quite rare exclusions) related to FB locally.
The only exceptions I can recall are:
Attachments to stream messages
Subscriptions
Btw, if there are another issues I forgot and you're experiencing - you can create test domain with such .htaccess in its root:
Order deny,allow
Deny from all
AuthName "Password"
AuthType Basic
AuthUserFile /path/to/.htpasswd
Require valid-user
Allow from 69.63.176.0/20
Satisfy Any
Where 69.63.176.0/20 equals to 69.63.176.0 - 69.63.191.255 and belongs to facebook and .htpasswd is a password file created with console utility htpasswd
htpasswd -c /path/to/.htpasswd musoNic80 // and enter password after
With such .htaccess everyone except of someone with facebook IP will be required to enter valid login/pass trough basic http auth.
Also, if you have dynamic but your own IP (given to only you once you logged in your pppoe (or whatever you use) session, and changes after you re-logged in) - you could use http://no-ip.org and have your local host to be shared outside, and available for facebook thus.
It's super simple, check out localtunnel and plug in the url to facebook. This will expose your computer to the net in a very limited way and will shut the tunnel when you chose to.
http://progrium.com/localtunnel/
I'm not sure if this works on Windows but I'm sure there's something similar.
I'm vaguely aware that on a computer joined to a domain IE can be asked to send some extra headers that I could use to automatically sign on to an application. I've got apache running on a windows server with mod_php. I'd like to be able to avoid the user having to log in if necessary. I've found some links talking about Kerberos and Apache modules.
http://www.onlamp.com/pub/a/onlamp/2003/09/11/kerberos.html?page=last
https://metacpan.org/pod/Apache2::AuthenNTLM
Since I'm running on Windows it's proven to be non-trivial to get Perl or Apache modules installed. But doesn't PHP already have access to HTTP headers?
I found this but it doesn't do any authentication, it just shows that PHP can read the NTLM headers.
http://siphon9.net/loune/2007/10/simple-lightweight-ntlm-in-php/
I'd like to be able to have my users just point to the application and have them automatically authenticated. Has anyone had any experience with this or gotten it to work at all?
UPDATE
Since originally posting this question, we've changed setups to nginx and php-fcgi still running on windows. Apache2 and php-cgi on windows is probably one of the slowest setups you could configure on windows. It's looking like Apache might still be needed (it works with php-fcgi) but I would prefer a nginx solution.
I also still don't understand (and would love to be educated) why HTTP server plugins are necessary and we can't have a PHP, web server agnostic solution.
All you need is the mod_auth_sspi Apache module.
Sample configuration:
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain mydomain
# Set this if you want to allow access with clients that do not support NTLM, or via proxy from outside. Don't forget to require SSL in this case!
SSPIOfferBasic On
# Set this if you have only one domain and don't want the MYDOMAIN\ prefix on each user name
SSPIOmitDomain On
# AD user names are case-insensitive, so use this for normalization if your application's user names are case-sensitive
SSPIUsernameCase Lower
AuthName "Some text to prompt for domain credentials"
Require valid-user
And don't forget that you can also use Firefox for transparent SSO in a Windows domain: Simply go to about:config, search for network.automatic-ntlm-auth.trusted-uris, and enter the host name or FQDN of your internal application (like myserver or myserver.corp.domain.com). You can have more than one entry, it's a comma-separated list.
I'd be curious about a solution that uses OpenID as a backend (of sorts) for this... I wasn't seeing anything that would hook into ActiveDirectory directly when I googled (quickly). However, it could be pretty painless to implement over plain HTTP(S) (you'd be an OpenID provider that checked credentials against your local AD). In a best case scenario, you might be able to just add a couple classes to your app and be off and running -- no web server modules required. There is a lot of open source code out there for either side of this, so if nothing else, it's worth taking a look. If you exposed the backend to the users (i.e. gave them OpenID URLs), you'd have the added benefit of them being able to log in to more than just your internal sites using these credentials. (Example: Stack Overflow.)
As an aside, I'd be against making it so that Internet Explorer is required. I'm not sure if that is the goal from the way you wrote the question, but depending on your IT environment, I'd expect people who use Firefox or Safari (or Opera or ...) to be less than enthusiastic. (You're not developing against IE first, are you? That's been painful whenever I've done so.) This is not to say that you couldn't use this feature of IE, just that it shouldn't be the only option. The link you posted stated that NTLM worked with more than IE, but since I don't have any experience with it, it's hard to judge how well that would work.
I had a similar problem which I needed to solve for my organization.
I was looking into using adLDAP.
There is some documentation on the site for achieving seamless authentication with Active Directory too.
One option for you is to use CAS (central authentication service).
It has php client library.
How-to link to MS Active Directory: http://www.ja-sig.org/wiki/display/CASUM/Active+Directory
You would require Apache maven 2 though.
For IIS/PHP FCGI, You need to send out an unauthorized header:
function EnableAuthentication()
{
$realm = "yoursite";
header('WWW-Authenticate: Digest realm="'.$realm.'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
header("HTTP/1.1 401 Unauthorized");
exit;
}
You can then get at the username with:
$winuser = $_SERVER["REMOTE_USER"];
I then make sure the $winuser is in my database of allowed users.
Be SURE and test this under a non-privileged account. When I first installed this I tested it and it worked fine, but later when a standard non-server-admin user tried it this failed. Turns out some of the temporary directories need to have permissions changed for guest users. I can't recall the exact settings.