Re: CGI IP Based Security

Do you have access to the webserver configuration? Like being able to tell apache via httpd.conf to ..

Order Deny,Allow
Deny from all
Allow from myservername.here.com
Allow from localhost
[download]

Would seem to obviate the need for any IP sec logic in your code

Update:Of course if you MUST do it with the script, for instance to display a 'friendly' warning rather than a 500 Forbidden, using the CGI query object from CGI.pm you can...

my $q = CGI->new();
my $remote_host = $q->remote_host();
[download]

I can't believe it's not psellchecked

Comment on Re: CGI IP Based Security Select or Download Code

Replies are listed 'Best First'.
Re: Re: CGI IP Based Security by sgifford (Prior) on Jun 24, 2003 at 07:08 UTC
You can also frequently do this from a `.htaccess` file. The `Allow from localhost` type stuff mentioned above, that is...	[reply]
Re: Re: CGI IP Based Security by devslashneil (Friar) on Jun 24, 2003 at 03:06 UTC
I am not the admin of this box. I have root access but /etc/apache/http.conf does not exist, which leaves me stumped on web configuration. /etc/apache/http.conf.example exists however and apache is the running webserver. As a matter of interest it would be nice to know how to impliment IP checks in CGI anyway. :) Neil Archibald - /dev/IT -	[reply]
Re: Re: Re: CGI IP Based Security by devslashneil (Friar) on Jun 24, 2003 at 03:33 UTC
By printing out the value of $remote_host i've realized that this method will be fine when i initially run the script GETing data from the trusted IP. However, when the script calls itself (e.g a "next page" button to browse data) The $remote_host is set to the user, and the user is unable to progress. Is there any way for the script to detect how it has been called. e.g If it has passed GET data to itself, or if the GET data came from somewhere else? Thanks submersible_toaster for all your help so far :) Neil Archibald - /dev/IT -	[reply]
Re: Re: Re: Re: CGI IP Based Security by submersible_toaster (Chaplain) on Jun 24, 2003 at 05:09 UTC
Maybe I have misunderstood your question. Are you saying that $remote_host is correct upon the first invocation of the script. But subsequently linked invocations it is set to a username? If it is a qualified hostname instead of an IP address , then I understand but a username?? I am not sure I can think of how to mess with that part of the environment with a GET request. Could you post code that demonstrates the problem? I can't believe it's not psellchecked	[reply]
Re: Re: Re: Re: Re: CGI IP Based Security by devslashneil (Friar) on Jun 24, 2003 at 05:55 UTC
Re: Re: Re: Re: CGI IP Based Security by CountZero (Bishop) on Jun 24, 2003 at 05:50 UTC
Try adding a hidden parameter to your script: set it to a pre-determined value when the script invokes itself and check in the beginning of the script if this parameter is set to that value. Warning! This is not very secure as anyone able to determine the correct value of that parameter wil now have access to your script. As you can only find that value by coming from the trusted IP, the risk is probably rather low, but stil ... CountZero "If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law	[reply]