Hello!

I am trying to setup a way to authenticate users by more than just password on my Apache reverse proxy server. I am wondering how websites like banks are able to determine if you have previously used a certain computer to access the website, even if your router's IP address may have changed and your system's cookies have been cleared. I have users that need to access our HTTP intranet from outside locations. Those locations will have dynamic IP addresses most of the time, so I can't just "allow from [ip]" in my Apache proxy configuration. Originally we considered a VPN, but determined that a VPN will be overkill to access just an internal website, since we do not want external users to have permission to the rest of the network, only the website.

I currently have it working over HTTPS with basic authentication against an internal LDAP server, but I want a little more security for such an important website.

crappy diagram:
[user]-->(internet via https)-->[apache gateway]-->(intranet)-->[http server]

Any help will be greatly appreciated.

For authentication http/https I user squid as reverse proxy.

Is a powerful tool because it allows me this authentication for each application/url.
- Username/password.
- SSO. NTLM/kerberos. Automatic user detection from Navigator.
- Certificate. Including certificate in SmartCard.
And you can authenticate against a LDAP, Active Directory, Database or where you like creating your own scripts.
Is possible to rewrite url, cache contents,...
Take a look a squid-cache.org

well 99.9% of the bank sites relay on the cookies as much as any other website that provide a personalized content to the user.
i don't think that there is another way to do it.


you may wish to have look at the below articles:

http://httpd.apache.org/docs/1.3/howto/auth.html

http://www.yolinux.com/TUTORIALS/Lin...rotection.html

I use squid for other systems in the office, but it seems like Apache can handle the proxying part just fine, and the gateway already has Apache installed for other reasons, so it's not taking on a new role, like it would if I installed squid.

They've gotta be using something besides cookies. I've logged into my bank account with my laptop at home, and then brought it to work and tried logging in again. The first time I log in from a new location (work), it usually tells me something like "We don't recognize the computer you are logging in from." and requires me to specify some extra authentication in order to log in from the new location, usually the "security" question and also my password, instead of just my password. It's the same computer, and the cookie still exists on the hard drive, but because the request is coming from a completely different network, it requires further authentication. Now, if I am still at home, but I turn off my DSL modem for a few hours and reconnect, getting a new IP address from the ISP in the process, it does not tell me it's an unrecognized computer, even if I clear the cookies. It must be saving something about my ISP in their database, but not specifically my IP address.

I was hoping to implement something similar with Apache, but now that I think about it, it might be a custom solution they have written in their software instead of on the server configuration side of things.