Password access for Intranet Web site
September 20, 2006 6:25 AM   Subscribe

How can one protect an Intranet web site while allowing access from the Internet. Internal users need to see the web site without typing in a password, but when users access it from the outside they need to type in a name and password - or even better still a HTTPS session. I can give more thn one internal IP to the server if I have to. Is htaccess the way to go? (Joomla website) Thanks!
posted by bright77blue to Computers & Internet (10 answers total) 2 users marked this as a favorite
 
I presume you have an Apache web server?
posted by antifuse at 6:53 AM on September 20, 2006


There is probably a better more secure way than this but it's how I would probably approach it:

$accesslevel = $_SERVER['REMOTE_ADDR'];
if (preg_match("/local.ip.address.goes.here/",$accesslevel)) {
      header('Location: http://www.yourintranet.com/trusted.php');
} else {
      header('Location: http://www.yourintranet.com/passwordprotected.php');
};


posted by twistedonion at 6:55 AM on September 20, 2006


If there is data on your intranet that you want/need to keep private, don't connect it directly to the public internet, even with a password wall, you're opening yourself up to trouble.

If your users really need access to it remotely, look into providing them with VPN access to your internal network, where they'll be able to hit the intranet through the same mechanism that they hit it already.

OpenVPN is one Open/Free method of doing this across multiple platforms, though the setup of it requires more than a passing understanding of networking in general and your network layout in particular. (Though, this may be a good thing... the security implications of a badly configured VPN can be staggering)

There are other options for providing VPN access, with varing levels of free-ness and ease of setup.
posted by toxic at 7:00 AM on September 20, 2006


Hi

Yes, it is Apache on Linux. I was wondering if twistedonion's idea needs another php file to authenticated the user - which I do not have.
Is there any way of doing it with .htaccess?

Thx again,

BB
posted by bright77blue at 7:15 AM on September 20, 2006


Apache has an excellent doc on its authentication mechanisms here. While I have not set up the specific configuration you're looking for, I'm pretty sure you can combine some 'Allow', 'Deny', and the 'AuthXXX' directives, most likely in a Location block for your webroot (i.e. <Location "/">), in order to force HTTP auth for people outside your network.
posted by cyrusdogstar at 7:52 AM on September 20, 2006


Ooh, here we go, a way to combine password and IP based authentication: Satisfy (found via the mod_access page.

The example given on the Satisfy page is exactly what you want--it lets you specify that users can either auth with HTTP Auth, or by requesting from a specific IP or hostname range.
posted by cyrusdogstar at 7:56 AM on September 20, 2006


What type of firewall is your company/site using? Depending on the product, this can be easily accomplished with no change to your website's code. What toxic says is true, however. If you have data you don't want to the world to see, don't allow the world to even get to the front door.
posted by pmbuko at 8:10 AM on September 20, 2006


Hi

Yes, it is Apache on Linux. I was wondering if twistedonion's idea needs another php file to authenticated the user - which I do not have.
Is there any way of doing it with .htaccess?

Thx again,

BB


It would require you to place that code at the top of index.php or whatever your root page is on the site.

Not sure how this would integrate with Mambo tho... a static content page that requires a password and then redirects to the homepage would be workable but very messy I guess.

cyrusdogstar has the perfect solution imo
posted by twistedonion at 8:11 AM on September 20, 2006


Thinking about it for 10 seconds Im more inclined to agree with pmbuko and toxic.... if it's only for internal staff to see at home etc i wouldn't open it to the www. Use vpn

Mambo can be quite insecure.
posted by twistedonion at 8:15 AM on September 20, 2006


Not sure how this would integrate with Mambo tho... a static content page that requires a password and then redirects to the homepage would be workable but very messy I guess.

And horribly insecure. Don't assume that users always enter the site at the same page.

What happens when I bookmark a deep link (a page on your intranet that isn't the front door -- say the page that has all the home and emergency contact phone numbers for your employees)?

Right. I go to the bookmarked page, bypassing your static content/password page entirely. What happens when I then sign up to a social bookmark site, and inadvertantly publish that bookmark when I choose to export all of my bookmarks to the social site? Right... a search engine finds it, and starts crawling your intranet. And now everyone's home phone number is just a google search away.

In my office, this is a fireable offense. (As well it should be.)

If you absolutely must do this, here's how to do it in .htaccess with Satisfy:

AuthUserFile /somewhere/.htpassword
AuthName 'Private Website'
AuthType Basic
require valid-user
allow from 10.20.30
Satisfy Any

This will allow users from 10.20.30.0/24 to access the site without a password, and users from other networks to access it if they have a username/password in /somewhere/.htpassword (managed with htpasswd, which ships with apache). ("Satisfy Any" is telling apache to accept either the require statement or the allow statement as acceptable to grant access. The default is Satisfy All, which would require both)

You probably should be doing this across a secured connection (https/SSL), because the auth data is sent in the clear, and your users will use the same password for the intranet as for their other work accounts, no matter how many times you tell them not to.

Also make SURE that .htpassword is somewhere that isn't in the document root... but you knew that, right?

bright77blue, I know that you mean well, and I'm sure that you've been asked to do this by someone with much more authority who doesn't want to spend any money to do it, but it's a really bad idea, and it could very easily come back to bite your company and you personally in the ass.

Again, I urge you to do this via VPN. Securing private data is not something to be taken lightly, and once data is leaked, it's out -- you'll never be able to put it back in again. Hope that's something that you, your bosses, and everyone with data on that intranet is comfortable with.
posted by toxic at 5:37 PM on September 20, 2006


« Older I got pictures on my mind.   |   How do i get my modded xbox onto my windows... Newer »
This thread is closed to new comments.