LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 08-13-2010, 01:52 PM   #1
wej
LQ Newbie
 
Registered: Aug 2010
Distribution: Ubuntu/CentOS/Gentoo
Posts: 3

Rep: Reputation: 0
Smile Authenticate users to Apache by host/ISP and password


Hello!

I am trying to setup a way to authenticate users by more than just password on my Apache reverse proxy server. I am wondering how websites like banks are able to determine if you have previously used a certain computer to access the website, even if your router's IP address may have changed and your system's cookies have been cleared. I have users that need to access our HTTP intranet from outside locations. Those locations will have dynamic IP addresses most of the time, so I can't just "allow from [ip]" in my Apache proxy configuration. Originally we considered a VPN, but determined that a VPN will be overkill to access just an internal website, since we do not want external users to have permission to the rest of the network, only the website.

I currently have it working over HTTPS with basic authentication against an internal LDAP server, but I want a little more security for such an important website.

crappy diagram:
[user]-->(internet via https)-->[apache gateway]-->(intranet)-->[http server]

Any help will be greatly appreciated.
 
Old 08-13-2010, 02:05 PM   #2
Felipe
Member
 
Registered: Oct 2006
Posts: 294

Rep: Reputation: 31
For authentication http/https I user squid as reverse proxy.

Is a powerful tool because it allows me this authentication for each application/url.
- Username/password.
- SSO. NTLM/kerberos. Automatic user detection from Navigator.
- Certificate. Including certificate in SmartCard.
And you can authenticate against a LDAP, Active Directory, Database or where you like creating your own scripts.
Is possible to rewrite url, cache contents,...
Take a look a squid-cache.org
 
Old 08-13-2010, 02:20 PM   #3
engtmk
LQ Newbie
 
Registered: Aug 2010
Location: Egypt
Distribution: Cetnos
Posts: 9

Rep: Reputation: 1
Quote:
I am wondering how websites like banks are able to determine if you have previously used a certain computer to access the website, even if your router's IP address may have changed and your system's cookies have been cleared
well 99.9% of the bank sites relay on the cookies as much as any other website that provide a personalized content to the user.
i don't think that there is another way to do it.


Quote:
I currently have it working over HTTPS with basic authentication against an internal LDAP server, but I want a little more security for such an important website.
you may wish to have look at the below articles:

http://httpd.apache.org/docs/1.3/howto/auth.html

http://www.yolinux.com/TUTORIALS/Lin...rotection.html
 
Old 08-13-2010, 03:30 PM   #4
wej
LQ Newbie
 
Registered: Aug 2010
Distribution: Ubuntu/CentOS/Gentoo
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Felipe View Post
For authentication http/https I user squid as reverse proxy.
I use squid for other systems in the office, but it seems like Apache can handle the proxying part just fine, and the gateway already has Apache installed for other reasons, so it's not taking on a new role, like it would if I installed squid.

Quote:
Originally Posted by engtmk View Post
well 99.9% of the bank sites relay on the cookies as much as any other website that provide a personalized content to the user.
i don't think that there is another way to do it.
They've gotta be using something besides cookies. I've logged into my bank account with my laptop at home, and then brought it to work and tried logging in again. The first time I log in from a new location (work), it usually tells me something like "We don't recognize the computer you are logging in from." and requires me to specify some extra authentication in order to log in from the new location, usually the "security" question and also my password, instead of just my password. It's the same computer, and the cookie still exists on the hard drive, but because the request is coming from a completely different network, it requires further authentication. Now, if I am still at home, but I turn off my DSL modem for a few hours and reconnect, getting a new IP address from the ISP in the process, it does not tell me it's an unrecognized computer, even if I clear the cookies. It must be saving something about my ISP in their database, but not specifically my IP address.

I was hoping to implement something similar with Apache, but now that I think about it, it might be a custom solution they have written in their software instead of on the server configuration side of things.

Last edited by wej; 08-13-2010 at 03:32 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
USB Hardmodem Failing to Authenticate to ISP Yarin Linux - Hardware 1 07-28-2009 04:06 PM
Using Active Directory to authenticate Apache users kenneho Linux - Server 4 09-10-2008 06:24 AM
How to host ~users in apache? anwar Linux - Server 3 03-08-2007 10:34 PM
Unable to authenticate with isp using kppp or ppp-go glennph93 Slackware 3 03-10-2006 06:34 PM
Apache 2 is not working right when i try to authenticate users stormrider_may Linux - Networking 2 03-01-2006 05:06 AM


All times are GMT -5. The time now is 04:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration