lighttpd: whitelist some IPs while authenticating the rest

Here's the scenario: you have an office full of people that need access to a certain web app. Some of them probably have insecure passwords and you're too busy to worry about the latest security holes in your web-app. Slow down attackers by allowing your office IP addresses in while denying the open web access until they put in a simple group password.

In other words, this post walks you through having lighttpd allow some IP addresses in (and authenticating with your web app) and others to have to authenticate with mod_auth first, then the web app.

These instructions were tested on Debian Lenny:
  • First Enable the authentication module:
    lighttpd-enable-mod auth
  • Create the password file, the format is username:password
    vim /etc/lighttpd.user
    Make the password file owned by the webserver user:
    chown www-data:www-data /etc/lighttpd.user
  • Configure the auth module:
    vim /etc/lighttpd/conf-enabled/05-auth.conf
    * Comment out the auth.backend = "plain" line
    * Comment out the auth.backend.plain.userfile = .... line
    * Change the auth.backend.plain.userfile file to the one you created above, /etc/lighttpd.user
  • Finally, have all IPs authenticated, except for the IP1 and IP2 (add more separated by pipes) by adding the following to /etc/lighttpd/lighttpd.conf:

    $HTTP["remoteip"] !~ "IP1|IP2" {
    auth.require = ( "" =>
    (
    "method" => "basic",
    "realm" => "Employees Only!",
    "require" => "user=username"
    )
    )
    }

    Note: you can't use hostnames, only IPs
  • Reload lighttpd and you're done!


Comments

Post a Comment

Popular posts from this blog

Dealing with Nested Documents in MongoDB and Talend (aka Baking a Cake)

Image
Abstract: MongoDB is a very popular document database that gives you a huge amount of flexibility when it comes to storing data. On the other hand, the traditional relational model is far less flexible in how data is stored - you're limited to columns and rows. Sometimes you want to go from a flexible model like MongoDB to a relational one, that's what this post attempts to explain using  Talend / JaspersoftETL  (ETL tools). I do not want to get into the relational vs non-relational model argument in this post - it's only an example if you need to do this for some reason...I'm pro choice :) Scenario: We have a JSON document in MongoDB that looks like this: { "id" : "0001", "type" : "donut", "name" : "Cake", "ppu" : 0.55, "batters" : { "batter" : [ ...
Read more

Add sbin to user PATH in Debian

Debian does not add sbin to your path by default. I have no idea why. I know sbin is supposed to be administrative tools that you would only want to run as root, however, there are some useful ones that don't require root, and even if they need root, why hide them from useful tools like auto complete? Apparentely it's not a new disucssion - this Debian mailing list thread dates back to a decade ago! Regardless, I want it in my path - the easiest way that I've found is to modify the top of /etc/profile to remove the if statement that sets path if you're user id 0 (root) or not: Before: if [ "`id -u`" -eq 0 ]; then PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" else PATH="/usr/local/bin:/usr/bin:/bin:/usr/games" fi After: PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" Save the file, log out and log back in and you're all set. Note that this affects all users on you...
Read more

Batch convert Asterisk GSM WAV files to mp3

Image
I am working on a fun project at work to provide web based visual voice-mail for a ticketing system. I realized Flash audio players are not able to play WAV files so had to work around that. Since users are also using voicemail files in other ways I can't just change the output format from Asterisk. The type of file that I'm working with is identifed with file ms0012.WAV as: msg0012.WAV: RIFF (little-endian) data, WAVE audio, GSM 6.10, mono 8000 Hz First I'll say that I found this post http://www.thiscoolsite.com/?p=73 but like some of the commenters I couldn't get the script to work. The author assumes some other format than Asterisk spits out by default. Lame would complain that Unsupported data format: 0x0031 The Tools Sox: http://sox.sourceforge.net/ Lame: http://lame.sourceforge.net/ So here's what I do: Convert GSM encoded wav to Microsoft PCM sox msg0012.WAV -s msg0012.wav Convert the PCM wav to mp3: lame msg0012.wav msg0012.mp3 And here's a script to...
Read more