[1818] in WWW Security List Archive
Restrictions group without ask for the password
daemon@ATHENA.MIT.EDU (Rob Jenson)
Fri Apr 12 12:28:35 1996
Date: Fri, 12 Apr 1996 09:59:23 -0400
From: Rob Jenson <jenson@nasirc.hq.nasa.gov>
To: jwalters@conicyt.cl
Cc: WWW-Security <www-security@ns2.rutgers.edu>
In-Reply-To: <316D4400.DD3@conicyt.cl>
Errors-To: owner-www-security@ns2.rutgers.edu
-----BEGIN PGP SIGNED MESSAGE-----
Jorge:
One approach (not necessarily the only, best, or easiest) is as
follows:
Set up a second httpd server (ideally chrooted for additional
security) on a different port of your server. Configure that server
to work with a different directory of web pages and cgi-bin programs.
Create a second service, such as rhttpd in your /etc/services, to make
your newly chosen port number clear, and to provide tcp/ip wrappers
with a symbolic token to use.
Use tcp/ip wrappers (available from ftp://ftp.win.tue.nl/pub/security )
with extended access control compiled into the package.
Set up your second httpd service in /etc/inetd.conf with tcpd as the
driver (instructions for this are straightforward w/ tcp/ip wrappers).
Set up your /etc/hosts.allow file with entries for the netmasks or
domains that you want to allow access to (these net numbers are
examples ... I have no idea whose networks they belong to):
rhttp : 129.105.0.0 \
199.5.4.0 \
199.5.5.0 : allow
rhttp : ALL : twist /usr/local/bin/rhttp-denial %h %u
Write a program (can be a shell script if you are careful) called
/usr/local/bin/rhttp-denial which outputs an html response indicating
that access is not allowed from that host (host name passed in as
%h).
One advantage to this approach is that it does not require httpd to
spawn simply to deny access, nor does it depend on the access control
mechanisms of httpd. The access control is performed by a smaller,
more verifiable (and to date extremely reliable) program, and httpd is
only spawned if necessary.
The disadvantages: maintaining two web servers and two sets of pages,
keeping your restricted URLs pointed to the second port, etc.
_rob_
Jorge Walters writes:
> Hi, is it posible to have some pages with restriction to some netmask ?
>
> I know that is posible but I want don4t ask the user for password if it
> has the correct netmask.
>
> Thanks a lot,
> --
> Jorge Walters Gastelu
> jwalters@conicyt.cl
> http://www.conicyt.cl/~jwalters
> CONICYT - CHILE
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQDsAwUBMW5hlp+zdHXnp1/JAQFtRwaxASxYt5/nXYDzFdMHF+vGLmYIa47S7olh
m1s7Eq1QyzFOqQvzd6+xHhVjvUEwEIyxggD92hnFu+6RFBZp5BtF+ZYqFCNa8wq/
F8D6S1ZI35PvtVZcs3/ylRc7z1FCe93CLF5X2MRypcjB6sCsSx/dxoJPHFVl4btX
5eTl/2XT9IoHSEoPBZRt06Gk1I8oQaPn80Qrys91zWF0N6Mph/Trs/6koAkSp03N
WWcHKDTwZJS6mTeVnCV4/EJmG5mMMKCSSu67nCuxgbP16kHFEsbV6BBULDq1Wog=
=E8wK
-----END PGP SIGNATURE-----
