Restricting a staging server - apache

I am thinking of methods to restrict public users from accessing sites on our staging server. The best method I can think of at the moment is use:
Deny from all
Allow IP Addresses
If I add this to vhost configuration then it will do what I need.
Is there any better ways of doing this? If I added our work based IP address to each vhost configuration and then the IP address was changed for any reason it would be pretty annoying to modify each one.
Also, some of the sites have test order information on, is this a secure method for doing this?
Thanks in advance,
Ian

Since an IP address can be spoofed this is not 100% secure. You may want to look at adding basic authentication where you can manage users and passwords rather than ip address (you may be able to leverage an exisiting identity system to make this easier (e.g. LDAP etc.).
Looking beyond that you may want to look at chef or puppet to automate the management of your users.

Related

how do you take a website off of the internet?

how do you take a website off of the internet? i have been tasked by my local golf club to remove there old website but im not sure how to do it.
i know the ip address but i dont know where to start to take the site down.
Two suggestions:
Probably the quickest and easiest is to change your dns. You will need to know the dns provider so you can change the address it points to.
If you don't want to do that, find the ftp address and password and delete all the files. My ftp client of choice is https://filezilla-project.org/ . I'd take a local copy first in case they want it back. The address might be ftp.[mysite.tld] depending on the hosting.
If you are really stuck talk to the hosting provider. You can get some info about the hosting from a whois lookup on the ip address: https://who.is/

Create a custom proxy server app

A friend of mine asked me this, and I had not much of an idea about it.
So, here I am asking you:
A custom application that works like a proxy server(not the complete version of it), i.e The app allows you to specify some websites that the users of the network can visit in their client browsers.
I have some idea, that this functionality is inbuilt in a proxy server and we can use Apache as a proxy server, but I don't know how to do it.
Can I develop such an application in Java, Ruby, or .NET, coz that will allow me to use a database to maintain the list of allowed and blocked websites + I can provide an easier UI to add or modify data.
Help me, I am quite confused.
Any proxy server has this functionality. For example using squid, you can set it to default deny any requests and only allow specific sites. However if that's the only goal, you may want to consider denying requests to port 80 and only allow specific IP ranges in your firewall instead.
Both options work though. The firewall option is faster and cannot be bypassed by the browser, but is less dynamic (DNS resolving only happens on rule start/reload) and may allow more sites then intended if one IP hosts more then one site.
You should probably ask your friend what his/her non-technical goals are. Like "I don't want my daughter to surf porn" rather then "I need an app that blocks sites".

Domain Name Server on Windows for locally hosted websites

I have a half-dozen domains (with associated domain names), hosted locally on Windows/Apache and accessible to the wider internet. At the moment, the name servers are provided by my domain name register at extra cost. I would like to host a domain name service (on the same machine as is hosting the websites).
I have tried BIND without success, I was unable to configure it correctly. I was confused about zones and the syntax of configuration, as well as how to test if it is configured correctly!
Most guides seem directed at users who wish to replicate DNS entries for local caching, whereas I simply want to host a name server (locally) which directs users to my local machine, when they request any of the half-dozen websites I host.
Is there a simple application to host limited Domain Name Service this on Windows (Vista Business), or an obvious tutorial that I haven't found yet? Or was I on the right track with BIND and missing something?
Bind is probably the best choice. The guides you're referring to are talking about configuring a caching resolver. What you want is an authoritative name server. Bind can be a pain to configure because there are so many options, but it's probably worth persevering.
Depends what your budget is..
The DNS Server on Windows 2003 Server is pretty good and easy to configure.
There's a bunch of alternatives list here:
http://en.wikipedia.org/wiki/Comparison_of_DNS_server_software
Simple DNS Plus could maybe do the trick for your case, but I haven't tried it.
Another option is maybe to use Bind and try to find a GUI for it, there's a few existing, usually web based, like webmin and such...

Can I use IP addresses to limit API access

I have a mini API that is only for an app I have built. The API service is on a separate domain to my app. I make jsonp calls to it and receive json in return.
Therefore I only want my app to be able to access it. Can I just list a series of IP addresses for my app and allow them? Is there a better way to stop requests from anyone else to my API?
The best way to implement IP-based filtering would be at the web-server level. Here's a brief introduction to access control with Apache. If that happens to be your web-server.
If the IP stays the same throughout time, yes this is a valid idea. Another way would be with an id and a key, if you expect further usage from other (dynamic) ip adresses.
What operating system is the API service running on? If it's Linux, look into iptables to only allow a certain IP to access a specific port.
Honestly, I wouldnt go with an IP based solution. While it may work in the short term, it will make things hard in the future. For example, what if your ip provider decides to do a reset? Most likely (unless you have explicitly established the need for static ip with your provider) your ip will change. Then your program will error and you wont know why (or worse, you wont know that a computer is now disconnected). Furthermore, if you want to add machines, think about managing 1000 ips....yikes! The 'right' way of doing this would be to authenticate the machines using some other scheme (user/pass, pki, etc.)

Unique identification of a certain computer

i have following scenario and can't seem to find anything on the net, or maybe i am looking for the wrong thing:
i am working on a webbased data storage system. there are different users and different places and only certain users are allowed to access certain parts of the system. now, we do not want them to connect to these parts from at home or with a different computer than they are using at their work-place (there are different reasons for that).
now my question is: if there is a way to have the work-place-pc identify itself to the server in some way over the browser, how can i do that?
oh and yes, it is supposed to be webbased.
i hope i explained it so everyone understands.
thnx for your replies in advance.
... dg
I agree with Lenni... IP address is a possible solution if they are static or the DHCP server consistently assigns the same IP address to the same machine.
Alternatively, you might also consider authentication via "personal certificates" ... that's what they are referred to in Firefox, don't know it that's the standard name or not. (Obviously I haven't worked with these before.)
Basically they are SSL or PKI certificates that are installed on the client (user's) machine that identify that machine as being the machine it says it is -- that is, if the user tries to connect from a machine that doesn't have a certificate or doesn't have a certificate that you allow, you would deny them.
I don't know the issues around this ... it might be relatively easy for the same user to take the certificate off one computer and install it on another one with the correct password (i.e. it authenticates the user), or it might be keyed specifically to that machine somehow (i.e. it authenticates the machine). And a quick google search didn't turn up any obvious "how to" instructions on how it all works, but it might be worth looking into.
---Lawrence
Since you're going web based you can:
Examine the remote host's IP Address (compare it against known internal subnets, etc)
During the authentication process, you can ping the remote IP and take a look at the TTL on the returned packets, if it's too low, then the computer can't be from the local network. (of course this can be broken, but it's just 1 more thing)
If you're doing it over IIS, then you can integrate into SSO (probably the best if you can do it)
If it's supposed to be web-based (and by that I mean that the web server should be able to uniquely identify the user's machine), then you choices are limited: per se, there's nothing you can obtain from the browser's headers or request body that allows you to identify the machine. I suppose this is by design, due to the obvious privacy implications.
There are choices though, none of which pain-free: you could use an ActiveX control, which however only runs on Windows (and not on all browsers I think) and requires elevated privileges. You could think of a Firefox plug-in (obviously Firefox only). At any rate, a plain-vanilla browser will otherwise escape identification.
There are only a few of REAL solutions to this. Here are a couple:
Use domain authentication, and disallow users who are connecting over a VPN.
Use known IP ranges to allow or disallow access.
IP address. Not bombproof security but a start.