Limitazione utenti in base ad ip address: Difference between revisions

From RVM Wiki
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
No edit summary
Line 1: Line 1:
E' possibile limitare l'uso di Squirrelmail 1.2.x a degli utenti elencati, specificando per ognuno la classe di ip da cui possono accedere.  
E' possibile limitare l'uso di Squirrelmail 1.2.x a degli utenti elencati, specificando per ognuno la classe di ip da cui possono accedere.  


(Procedura testata su RH8)
(Procedura testata su Debian Sarge)


== Plugin originale ==
== Plugin originale ==
Line 16: Line 16:


== Sorgente del Plugin modificato ==
== Sorgente del Plugin modificato ==
=== Debian Woody (Squirrelmail < 1.4) ===


Installare la versione modificata del plugin sovrascrivendo il file con questo:
Installare la versione modificata del plugin sovrascrivendo il file con questo:
Line 24: Line 26:
<nowiki>
<nowiki>
<?php
<?php
/* Version 1.1 */
/* Version 1.2 */
 
function squirrelmail_plugin_init_ip_users() {
  global $squirrelmail_plugin_hooks;
  global $login_username;
 
  $squirrelmail_plugin_hooks['login_verified']['ip_users'] = 'plugin_ip_users_login_verified';
}
 
function plugin_ip_users_login_verified() {
 
function IP_Match($network, $ip) {
  $ip_arr = explode("/",$network);
  $network_long=ip2long($ip_arr[0]);
 
  $mask_long= pow(2,32)-pow(2,(32-$ip_arr[1]));
  $ip_long=ip2long($ip);
 
  if (($ip_long & $mask_long) == $network_long) {
      return 1;
  } else {
      return 0;
  }
}
 
  global $squirrelmail_plugin_hooks;
  global $login_username;
 
  $valid_user=0;
  $file = fopen("../config/ip_users.php","r");
  for ($i=0; !feof($file); $i++) {
      $tmp = fgets($file, 1024);
      if (substr($tmp, 0, strpos($tmp, "|")) == "$login_username") {
        $valid_user=1;
        $rete=substr($tmp, strpos($tmp, "|")+1);
        $indirizzo=getenv("REMOTE_ADDR");
        if (IP_Match($rete,$indirizzo)) {
              $valid_user++;
        }
      }
  }
  fclose($file);
  if($valid_user!=2) {
      echo "<html><body bgcolor=\"ffffff\">\n";
        //      printf("Network:%s Address:%s\n<br>",$rete, $indirizzo);
        //      print("Network: $rete -  Address: $indirizzo \n<br>");
      error_username_password_incorrect();
      exit;
  }
}
?>
</nowiki>
</pre>
<small>
Scriptlet:
<pre><nowiki>cat > setup.php <<'EOFile'
<?php
/* Version 1.2 */


function squirrelmail_plugin_init_ip_users() {
function squirrelmail_plugin_init_ip_users() {
Line 71: Line 130:
         //      print("Network: $rete -  Address: $indirizzo \n<br>");
         //      print("Network: $rete -  Address: $indirizzo \n<br>");
       error_username_password_incorrect();
       error_username_password_incorrect();
      exit;
  }
}
?>
EOFile</nowiki></pre></small>
=== Debian Sarge (Squirrelmail >= 1.4) ===
Installare la versione modificata del plugin sovrascrivendo il file con questo:
<tt>/usr/share/squirrelmail/plugins/ip_users/setup.php</tt>
<pre>
<nowiki>
<?php
/* Version 1.3 */
function squirrelmail_plugin_init_ip_users() {
  global $squirrelmail_plugin_hooks;
  global $login_username;
  $squirrelmail_plugin_hooks['login_verified']['ip_users'] = 'plugin_ip_users_login_verified';
}
function plugin_ip_users_login_verified() {
function IP_Match($network, $ip) {
  $ip_arr = explode("/",$network);
  $network_long=ip2long($ip_arr[0]);
  $mask_long= pow(2,32)-pow(2,(32-$ip_arr[1]));
  $ip_long=ip2long($ip);
  if (($ip_long & $mask_long) == $network_long) {
      return 1;
  } else {
      return 0;
  }
}
  global $squirrelmail_plugin_hooks;
  global $login_username;
  $valid_user=0;
  $file = fopen("../config/ip_users.php","r");
  for ($i=0; !feof($file); $i++) {
      $tmp = fgets($file, 1024);
      if (substr($tmp, 0, strpos($tmp, "|")) == "$login_username") {
        $valid_user=1;
        $rete=substr($tmp, strpos($tmp, "|")+1);
        $indirizzo=getenv("REMOTE_ADDR");
        if (IP_Match($rete,$indirizzo)) {
              $valid_user++;
        }
      }
  }
  fclose($file);
  if($valid_user!=2) {
      echo "<html><body bgcolor=\"ffffff\">\n";
        //      printf("Network:%s Address:%s\n<br>",$rete, $indirizzo);
        //      print("Network: $rete -  Address: $indirizzo \n<br>");
      logout_error( _("Unknown user or password incorrect.") );
       exit;
       exit;
   }
   }
Line 77: Line 198:
</nowiki>
</nowiki>
</pre>
</pre>
<small>
Scriptlet:
<pre><nowiki>cat > setup.php <<'EOFile'
<?php
/* Version 1.3 */
function squirrelmail_plugin_init_ip_users() {
  global $squirrelmail_plugin_hooks;
  global $login_username;
  $squirrelmail_plugin_hooks['login_verified']['ip_users'] = 'plugin_ip_users_login_verified';
}
function plugin_ip_users_login_verified() {
function IP_Match($network, $ip) {
  $ip_arr = explode("/",$network);
  $network_long=ip2long($ip_arr[0]);
  $mask_long= pow(2,32)-pow(2,(32-$ip_arr[1]));
  $ip_long=ip2long($ip);
  if (($ip_long & $mask_long) == $network_long) {
      return 1;
  } else {
      return 0;
  }
}
  global $squirrelmail_plugin_hooks;
  global $login_username;
  $valid_user=0;
  $file = fopen("../config/ip_users.php","r");
  for ($i=0; !feof($file); $i++) {
      $tmp = fgets($file, 1024);
      if (substr($tmp, 0, strpos($tmp, "|")) == "$login_username") {
        $valid_user=1;
        $rete=substr($tmp, strpos($tmp, "|")+1);
        $indirizzo=getenv("REMOTE_ADDR");
        if (IP_Match($rete,$indirizzo)) {
              $valid_user++;
        }
      }
  }
  fclose($file);
  if($valid_user!=2) {
      echo "<html><body bgcolor=\"ffffff\">\n";
        //      printf("Network:%s Address:%s\n<br>",$rete, $indirizzo);
        //      print("Network: $rete -  Address: $indirizzo \n<br>");
      logout_error( _("Unknown user or password incorrect.") );
      exit;
  }
}
?>
EOFile</nowiki></pre></small>
== Attivazione del Plugin ==
Lanciare il programma di configurazione di Squirrelmail con:
/etc/squirrelmail/conf.pl
Attivare il plugin dal menù "Plugin"


== File di Configurazione ==
== File di Configurazione ==

Revision as of 19:45, 6 April 2005

E' possibile limitare l'uso di Squirrelmail 1.2.x a degli utenti elencati, specificando per ognuno la classe di ip da cui possono accedere.

(Procedura testata su Debian Sarge)

Plugin originale

Il Plugin originale permette di specificare un solo IP di provenienza per gli utenti, e non una classe di IP.

Homepage: http://www.squirrelmail.org/plugin_view.php?id=106

Prelevare il plugin ip_users e installarlo: 

cd /files/src
wget http://www.squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fip_users.1.1-1.2.x.tar.gz 
cd /usr/share/squirrelmail/plugins/
tar xvzf /files/src/ip_users.1.1-1.2.x.tar.gz

Sorgente del Plugin modificato

Debian Woody (Squirrelmail < 1.4)

Installare la versione modificata del plugin sovrascrivendo il file con questo:

/usr/share/squirrelmail/plugins/ip_users/setup.php 


<?php
/* Version 1.2 */

function squirrelmail_plugin_init_ip_users() {
   global $squirrelmail_plugin_hooks;
   global $login_username;

   $squirrelmail_plugin_hooks['login_verified']['ip_users'] = 'plugin_ip_users_login_verified';
}

function plugin_ip_users_login_verified() {

function IP_Match($network, $ip) {
   $ip_arr = explode("/",$network);
   $network_long=ip2long($ip_arr[0]);

   $mask_long= pow(2,32)-pow(2,(32-$ip_arr[1]));
   $ip_long=ip2long($ip);

   if (($ip_long & $mask_long) == $network_long) {
       return 1;
   } else {
       return 0;
   }
}

   global $squirrelmail_plugin_hooks;
   global $login_username;

   $valid_user=0;
   $file = fopen("../config/ip_users.php","r");
   for ($i=0; !feof($file); $i++) {
      $tmp = fgets($file, 1024);
      if (substr($tmp, 0, strpos($tmp, "|")) == "$login_username") {
         $valid_user=1;
         $rete=substr($tmp, strpos($tmp, "|")+1);
         $indirizzo=getenv("REMOTE_ADDR");
         if (IP_Match($rete,$indirizzo)) {
               $valid_user++;
         }
      }
   }
   fclose($file);
   if($valid_user!=2) {
      echo "<html><body bgcolor=\"ffffff\">\n";
        //      printf("Network:%s Address:%s\n<br>",$rete, $indirizzo);
        //      print("Network: $rete -  Address: $indirizzo \n<br>");
      error_username_password_incorrect();
      exit;
   }
}
?>

Scriptlet: 

cat > setup.php <<'EOFile'
<?php
/* Version 1.2 */

function squirrelmail_plugin_init_ip_users() {
   global $squirrelmail_plugin_hooks;
   global $login_username;

   $squirrelmail_plugin_hooks['login_verified']['ip_users'] = 'plugin_ip_users_login_verified';
}

function plugin_ip_users_login_verified() {

function IP_Match($network, $ip) {
   $ip_arr = explode("/",$network);
   $network_long=ip2long($ip_arr[0]);

   $mask_long= pow(2,32)-pow(2,(32-$ip_arr[1]));
   $ip_long=ip2long($ip);

   if (($ip_long & $mask_long) == $network_long) {
       return 1;
   } else {
       return 0;
   }
}

   global $squirrelmail_plugin_hooks;
   global $login_username;

   $valid_user=0;
   $file = fopen("../config/ip_users.php","r");
   for ($i=0; !feof($file); $i++) {
      $tmp = fgets($file, 1024);
      if (substr($tmp, 0, strpos($tmp, "|")) == "$login_username") {
         $valid_user=1;
         $rete=substr($tmp, strpos($tmp, "|")+1);
         $indirizzo=getenv("REMOTE_ADDR");
         if (IP_Match($rete,$indirizzo)) {
               $valid_user++;
         }
      }
   }
   fclose($file);
   if($valid_user!=2) {
      echo "<html><body bgcolor=\"ffffff\">\n";
        //      printf("Network:%s Address:%s\n<br>",$rete, $indirizzo);
        //      print("Network: $rete -  Address: $indirizzo \n<br>");
      error_username_password_incorrect();
      exit;
   }
}
?>
EOFile

Debian Sarge (Squirrelmail >= 1.4)

Installare la versione modificata del plugin sovrascrivendo il file con questo:

/usr/share/squirrelmail/plugins/ip_users/setup.php 


<?php
/* Version 1.3 */

function squirrelmail_plugin_init_ip_users() {
   global $squirrelmail_plugin_hooks;
   global $login_username;

   $squirrelmail_plugin_hooks['login_verified']['ip_users'] = 'plugin_ip_users_login_verified';
}

function plugin_ip_users_login_verified() {

function IP_Match($network, $ip) {
   $ip_arr = explode("/",$network);
   $network_long=ip2long($ip_arr[0]);

   $mask_long= pow(2,32)-pow(2,(32-$ip_arr[1]));
   $ip_long=ip2long($ip);

   if (($ip_long & $mask_long) == $network_long) {
       return 1;
   } else {
       return 0;
   }
}

   global $squirrelmail_plugin_hooks;
   global $login_username;

   $valid_user=0;
   $file = fopen("../config/ip_users.php","r");
   for ($i=0; !feof($file); $i++) {
      $tmp = fgets($file, 1024);
      if (substr($tmp, 0, strpos($tmp, "|")) == "$login_username") {
         $valid_user=1;
         $rete=substr($tmp, strpos($tmp, "|")+1);
         $indirizzo=getenv("REMOTE_ADDR");
         if (IP_Match($rete,$indirizzo)) {
               $valid_user++;
         }
      }
   }
   fclose($file);
   if($valid_user!=2) {
      echo "<html><body bgcolor=\"ffffff\">\n";
        //      printf("Network:%s Address:%s\n<br>",$rete, $indirizzo);
        //      print("Network: $rete -  Address: $indirizzo \n<br>");
      logout_error( _("Unknown user or password incorrect.") );
      exit;
   }
}
?>

Scriptlet: 

cat > setup.php <<'EOFile'
<?php
/* Version 1.3 */

function squirrelmail_plugin_init_ip_users() {
   global $squirrelmail_plugin_hooks;
   global $login_username;

   $squirrelmail_plugin_hooks['login_verified']['ip_users'] = 'plugin_ip_users_login_verified';
}

function plugin_ip_users_login_verified() {

function IP_Match($network, $ip) {
   $ip_arr = explode("/",$network);
   $network_long=ip2long($ip_arr[0]);

   $mask_long= pow(2,32)-pow(2,(32-$ip_arr[1]));
   $ip_long=ip2long($ip);

   if (($ip_long & $mask_long) == $network_long) {
       return 1;
   } else {
       return 0;
   }
}

   global $squirrelmail_plugin_hooks;
   global $login_username;

   $valid_user=0;
   $file = fopen("../config/ip_users.php","r");
   for ($i=0; !feof($file); $i++) {
      $tmp = fgets($file, 1024);
      if (substr($tmp, 0, strpos($tmp, "|")) == "$login_username") {
         $valid_user=1;
         $rete=substr($tmp, strpos($tmp, "|")+1);
         $indirizzo=getenv("REMOTE_ADDR");
         if (IP_Match($rete,$indirizzo)) {
               $valid_user++;
         }
      }
   }
   fclose($file);
   if($valid_user!=2) {
      echo "<html><body bgcolor=\"ffffff\">\n";
        //      printf("Network:%s Address:%s\n<br>",$rete, $indirizzo);
        //      print("Network: $rete -  Address: $indirizzo \n<br>");
      logout_error( _("Unknown user or password incorrect.") );
      exit;
   }
}
?>
EOFile

Attivazione del Plugin

Lanciare il programma di configurazione di Squirrelmail con: 

/etc/squirrelmail/conf.pl

Attivare il plugin dal menù "Plugin"

File di Configurazione

Creare il file:

/usr/share/squirrelmail/config/ip_users.php 


<? /*
obinda|0.0.0.0/0
bbaldassarre|192.169.22.0/24
cdilitta|192.169.22.0/24
*/ ?>

Scriptlet: 

cat > /usr/share/squirrelmail/config/ip_users.php <<'EOFile'
<? /*
obinda|0.0.0.0/0
bbaldassarre|192.169.22.0/24
cdilitta|192.169.22.0/24
*/ ?>
EOFile

ovvero: 

username_che_può_accedere|netmask_di_accesso_consentita

Indirizzi particolari

0.0.0.0/0 da dovunque
a.b.c.d/24 da un lan
a.b.c.d/32 da un ip soltanto

Se un utente O non è listato in questo file O non si collega da una rete consentita, viene visualizzato un errore di login.

Il Plugin originale che funziona solo da un ip: http://www.squirrelmail.org/plugin_view.php?id=106

Esempio per rilevare ip address locale o del proxy: http://www.php.net/getenv

I have an application where I want to track the remote address, and if that's not available, then the local address. (Sometimes it's over a network, and sometimes over the internet, and for security, some features should only be run over the local network.) I added some checking that should be redundant to get around a few weird situations I encountered, where addresses were set, but empty. 


 <?php
 $private_net_ip_masks = array( '10.0.0.', '192.168.', '127.0.0.', '172.16.0.' );
 if( isset($_SERVER['HTTP_X_FORWARDED_FOR']) && $_SERVER['HTTP_X_FORWARDED_FOR'] != '' )
 {
    $ipStrings = explode( ',',$_SERVER['HTTP_X_FORWARDED_FOR']);
    foreach($ipStrings as $k => $v)
    {
        if( empty($v) )
        {
            unset( $ipStrings[$k] );
        }
        else
        { // set the first one we find as the default.  Little dirty, but it works.
            if(!isset($ipString)) $ipString = $v;
        }
    }
 }
 if( isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] != '' )
 {
    $ipStrings[] = $_SERVER['REMOTE_ADDR'];
    if(!isset($ipString)) $ipString = $_SERVER['REMOTE_ADDR'];
 }
 foreach($ipStrings as $k1 => $ip)
 {
    foreach($private_net_ip_masks as $k2 => $pip)
    {
        if(strpos($ip, $pip) === 0)
        { // local ip
            unset($ipStrings[$k1]);
            break;
        }
    }
 }
 if( !empty($ipStrings) )
 {
    foreach( $ipStrings as $v )
    {
        if(!empty($v))
        {
            $ipString = $v;
            $is_local_ip = false;
            break;
        }
    }
 }
 else
 {
    $is_local_ip = true;
 }
 $ipArray = explode('.', $ipString);

 // Spit out the results
 foreach($ipStrings as $k => $v) echo '$ipStrings['.$k.'] = ' . $v . '<br />';
 echo "\$ipString = $ipString<br />";
 foreach($ipArray as $k => $v) echo '$ipArray['.$k.'] = ' . $v . '<br />';
 ?>
Retrieved from "https://kb.rvmgroup.it/index.php?title=Limitazione_utenti_in_base_ad_ip_address&oldid=3438"