By escoles on
Is there a way to permit access to a page based on the IP address of the user?
My client has expressed a requirement to bar anyone from logging in unless they have a specific IP address.
The site must be publicly accessible, and will be using Ubercart.
I'm aware of the "Restrict Login Access by IP Address" module, but that doesn't seem to really stop people from logging in -- it just automatically logs them out right after they login, by redirecting to a new URL. Users can still access the login page. It can be disabled by interrupting that workflow. I'm 90% sure my client is going to balk at that and would rather know my options before I get into that discussion with them.
Comments
Use the solution you suggested
Please see this article:
http://rewindlife.com/2004/04/20/remote_addr-and-remote_host-not-safe-fo...
If the client wants more security than what you proposed, then you should have him configure his firewall to block his Drupal instance from foreign IPs. If there are other services on the same machine that should -not- be blocked, you could set up Apache to listen on another port, and move Drupal there.
Greg, thanks for the pointer.
Greg, thanks for the pointer. It's useful information, and something I suspected. I'm not sure I understand what you're suggesting -- the article seems to be arguing that restricting access by IP is pointless, and I hadn't really expressed a view on what I thought they should do. (Personally I didn't think it was a cost-effective effort.)
Blocking by environment variables vs. blocking by IP address
escoles,
I would not go so far as to say that blocking by IP is pointless; it does add some security to the system, as the attacker must know what IP address to forge in order to get in. If the attacker can observe valid traffic to your site, though, the IP addresses being used can be determined, so this is "security by obscurity", but it does add some value.
[irrelevant ramblings deleted in favor of post below]
- Greg
I just had a brilliant idea for you
First, let me explain a solution that is easy to understand, but doesn't quite work.
This is brilliant because it is simple to set up and it is completely secure. Its only flaw is that it doesn't allow unauthenticated users to use https. ubercart users might need https. If your payment system goes to another site (e.g. paypal) for the secure transactions, then you're done.
If you want to allow anonymous users to use https, I have another solution that is a little harder to understand, but still not too hard to set up. You can probably figure it out by yourself from the above hint (hint 2: use two virtual host configuration files with the same document root, run them on different ports, and include different rewrite rules in each. Block the port the second instance is running at via the firewall and leave the first on port 80/443 unblocked).
I'll be more verbose if necessary.
- Greg
Thanks for the followup. As
Thanks for the followup. As I'd hoped, my requirement to do this has gone away, but it's good information and I'm sure it will also be useful to others.
Good deal. I'm not 100% sure
Good deal.
I'm not 100% sure that Apache, at least, is vulnerable to environment-variable spoofing as described in the above article from 2004, but I haven't had a chance to try it myself yet.
Restricting access to a page by IP address
We've come up against this same problem for a client.
The best solution we found was to:
- create a new content type called 'secure_page'
- then we could create a new node template:
- place a new file in your template folder called 'node-secure_page.tpl.php'
- edit the file with a text editor and add the following code:
print $node->body;} else {}When we go live with this we are going to change it slightly to add a 'email us here with this reference number' .. the reference number will be a subtle representation of their IP address, so we know what to add if we agree with their request.
Also we will be adding wild cards to the IP look up allowing greater level of flexibility.
However at the moment all our users come from behind the same firewall so this quick and easy approach was one we could roll out quickly and easily.
Hope that helps.
The ChilledWeb team
www.chilledweb.com
Thanks alot chilledweb for
Thanks alot chilledweb for above code, i just tried to implement it but every time it shows me this message "This is a secure page and can not be viewed from your location. Apologies for any inconvenience." may be i have wrong IP of my machine but i verified my ip address from http://www.whatismyip.com/ , still i get the same message even on my own machine. Please advise!
Thanks
ip address vs. ip range
Another thanks to chilledweb -- I was able to get that solution to work right off the bat, but what I needed was to allow an entire ip range. I already had cobbled this code together (actually not sure where the source came from anymore) and had it in place elsewhere on my site, so all I had to do was pretty much copy and paste.
What it does is call the start and end ip of the specified range, as well as the ip of the user, convert them all to numeric values, and compare them. If the user's ip is within the range, it prints the content, otherwise, it prints the restriction notice.
I wanted to keep my page theme, so instead of replace the entire node body, I inserted my script in the content div of my page, and used it to replace the standard print $content; command.
Replace x's with the start and end of your ip range
Hope this helps others.