Re: Cosign or IP-based access control

[Jim Zajkowski <jamesez@xxxxxxxxx>]

On Jan 18, 2005, at 11:33 PM, Jim Zajkowski wrote:

> I'll give it a whirl when I get a chance.

Well I wasn't quite able to get it to work using AuthType Cosign and  
Require valid-user under Apache 2; it continually gave me this error:

> configuration error:  couldn't check user.  No user file?

I already have stuff plugged into apache 2, not to mention that it is  
vendor supplied, so downgrading to 1.3 to try it was not what I wanted  
to spend the rest of the day on.

Instead I resorted to that swiss army knife of apache, mod_rewrite.   
Note that our intranet is being served by a local Zope/Plone install;  
some variation would be required for other setups.

# if they are building-local, let them in
RewriteEngine On
RewriteCond %{REMOTE_ADDR}    141\.211\.182\.* [OR]
RewriteCond %{REMOTE_ADDR}    141\.211\.183\.* [OR]
RewriteCond %{REMOTE_ADDR}    141\.211\.74\.*
RewriteRule ^/(.*)  
http://127.0.0.1:8080/VirtualHostBase/https/intranet.lsi.umich.edu:443/ 
intranet.lsi.umich.edu/VirtualHostRoot/$1 [P]

# if not, hand them to cosign
RewriteRule ^/(.*) /cosign/$1 [PT]

# auth to cosign
<Location /cosign/>
  Options FollowSymLinks
  CosignProtected On
  RewriteEngine On

  # deny cosign friends
  RewriteCond %{ENV:REMOTE_REALM} friend
  RewriteRule ^/(.*) /$1 [F,L]

  # otherwise rewrite them to the intranet
  RewriteRule ^/var/www/html/intranet/(.*)  
http://127.0.0.1:8080/VirtualHostBase/https/intranet.lsi.umich.edu:443/ 
intranet.lsi.umich.edu/VirtualHostRoot/$1 [P]

</Location>

--Jim

--
Jim Zajkowski          OpenPGP 0x21135C3    http://www.jimz.net/pgp.asc
System Administrator  8A9E 1DDF 944D 83C3 AEAB  8F74 8697 A823 2113 5C53
UM Life Sciences Institute