Limitazione utenti in base ad ip address: Difference between revisions

From RVM Wiki
Jump to navigation Jump to search
← Older edit
VisualWikitext
mNo edit summary
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
= OBSOLETO =
USARE IL PLUGIN ip_restrict:
* [http://squirrelmail.org/plugin_view.php?id=259 Plugins - User Restriction by IP]
<hr>
E' possibile limitare l'uso di Squirrelmail 1.2.x a degli utenti elencati, specificando per ognuno la classe di ip da cui possono accedere.  
E' possibile limitare l'uso di Squirrelmail 1.2.x a degli utenti elencati, specificando per ognuno la classe di ip da cui possono accedere.  


(Procedura testata su RH8)
(Procedura testata su Debian Sarge)


== Plugin originale ==
== Plugin originale ==
Line 16: Line 23:


== Sorgente del Plugin modificato ==
== Sorgente del Plugin modificato ==
=== Debian Woody (Squirrelmail < 1.4) ===


Installare la versione modificata del plugin sovrascrivendo il file con questo:
Installare la versione modificata del plugin sovrascrivendo il file con questo:
Line 24: Line 33:
<nowiki>
<nowiki>
<?php
<?php
/* Version 1.1 */
/* Version 1.2 */


function squirrelmail_plugin_init_ip_users() {
function squirrelmail_plugin_init_ip_users() {
Line 77: Line 86:
</nowiki>
</nowiki>
</pre>
</pre>
<small>
Scriptlet:
<pre><nowiki>cat > setup.php <<'EOFile'
<?php
/* Version 1.2 */
function squirrelmail_plugin_init_ip_users() {
  global $squirrelmail_plugin_hooks;
  global $login_username;
  $squirrelmail_plugin_hooks['login_verified']['ip_users'] = 'plugin_ip_users_login_verified';
}
function plugin_ip_users_login_verified() {
function IP_Match($network, $ip) {
  $ip_arr = explode("/",$network);
  $network_long=ip2long($ip_arr[0]);
  $mask_long= pow(2,32)-pow(2,(32-$ip_arr[1]));
  $ip_long=ip2long($ip);
  if (($ip_long & $mask_long) == $network_long) {
      return 1;
  } else {
      return 0;
  }
}
  global $squirrelmail_plugin_hooks;
  global $login_username;
  $valid_user=0;
  $file = fopen("../config/ip_users.php","r");
  for ($i=0; !feof($file); $i++) {
      $tmp = fgets($file, 1024);
      if (substr($tmp, 0, strpos($tmp, "|")) == "$login_username") {
        $valid_user=1;
        $rete=substr($tmp, strpos($tmp, "|")+1);
        $indirizzo=getenv("REMOTE_ADDR");
        if (IP_Match($rete,$indirizzo)) {
              $valid_user++;
        }
      }
  }
  fclose($file);
  if($valid_user!=2) {
      echo "<html><body bgcolor=\"ffffff\">\n";
        //      printf("Network:%s Address:%s\n<br>",$rete, $indirizzo);
        //      print("Network: $rete -  Address: $indirizzo \n<br>");
      error_username_password_incorrect();
      exit;
  }
}
?>
EOFile</nowiki></pre></small>
=== Debian Sarge (Squirrelmail >= 1.4) ===
Installare la versione modificata del plugin sovrascrivendo il file con questo:
<tt>/usr/share/squirrelmail/plugins/ip_users/setup.php</tt>
<pre>
<nowiki>
<?php
/* Version 1.3 */
function squirrelmail_plugin_init_ip_users() {
  global $squirrelmail_plugin_hooks;
  global $login_username;
  $squirrelmail_plugin_hooks['login_verified']['ip_users'] = 'plugin_ip_users_login_verified';
}
function plugin_ip_users_login_verified() {
function IP_Match($network, $ip) {
  $ip_arr = explode("/",$network);
  $network_long=ip2long($ip_arr[0]);
  $mask_long= pow(2,32)-pow(2,(32-$ip_arr[1]));
  $ip_long=ip2long($ip);
  if (($ip_long & $mask_long) == $network_long) {
      return 1;
  } else {
      return 0;
  }
}
  global $squirrelmail_plugin_hooks;
  global $login_username;
  $valid_user=0;
  $file = fopen("../config/ip_users.php","r");
  for ($i=0; !feof($file); $i++) {
      $tmp = fgets($file, 1024);
      if (substr($tmp, 0, strpos($tmp, "|")) == "$login_username") {
        $valid_user=1;
        $rete=substr($tmp, strpos($tmp, "|")+1);
        $indirizzo=getenv("REMOTE_ADDR");
        if (IP_Match($rete,$indirizzo)) {
              $valid_user++;
        }
      }
  }
  fclose($file);
  if($valid_user!=2) {
      echo "<html><body bgcolor=\"ffffff\">\n";
        //      printf("Network:%s Address:%s\n<br>",$rete, $indirizzo);
        //      print("Network: $rete -  Address: $indirizzo \n<br>");
      logout_error( _("Unknown user or password incorrect.") );
      exit;
  }
}
?>
</nowiki>
</pre>
<small>
Scriptlet:
<pre><nowiki>cat > setup.php <<'EOFile'
<?php
/* Version 1.3 */
function squirrelmail_plugin_init_ip_users() {
  global $squirrelmail_plugin_hooks;
  global $login_username;
  $squirrelmail_plugin_hooks['login_verified']['ip_users'] = 'plugin_ip_users_login_verified';
}
function plugin_ip_users_login_verified() {
function IP_Match($network, $ip) {
  $ip_arr = explode("/",$network);
  $network_long=ip2long($ip_arr[0]);
  $mask_long= pow(2,32)-pow(2,(32-$ip_arr[1]));
  $ip_long=ip2long($ip);
  if (($ip_long & $mask_long) == $network_long) {
      return 1;
  } else {
      return 0;
  }
}
  global $squirrelmail_plugin_hooks;
  global $login_username;
  $valid_user=0;
  $file = fopen("../config/ip_users.php","r");
  for ($i=0; !feof($file); $i++) {
      $tmp = fgets($file, 1024);
      if (substr($tmp, 0, strpos($tmp, "|")) == "$login_username") {
        $valid_user=1;
        $rete=substr($tmp, strpos($tmp, "|")+1);
        $indirizzo=getenv("REMOTE_ADDR");
        if (IP_Match($rete,$indirizzo)) {
              $valid_user++;
        }
      }
  }
  fclose($file);
  if($valid_user!=2) {
      echo "<html><body bgcolor=\"ffffff\">\n";
        //      printf("Network:%s Address:%s\n<br>",$rete, $indirizzo);
        //      print("Network: $rete -  Address: $indirizzo \n<br>");
      logout_error( _("Unknown user or password incorrect.") );
      exit;
  }
}
?>
EOFile</nowiki></pre></small>
== Attivazione del Plugin ==
Lanciare il programma di configurazione di Squirrelmail con:
/etc/squirrelmail/conf.pl
Attivare il plugin dal menù "Plugin"


== File di Configurazione ==
== File di Configurazione ==
Line 86: Line 276:
<pre>
<pre>
<nowiki>
<nowiki>
<? /*
<? /*
obinda|0.0.0.0/0
obinda|0.0.0.0/0
bbaldassarre|i192.169.22.0/24
bbaldassarre|192.169.22.0/24
cdilitta|192.169.22.0/24
cdilitta|192.169.22.0/24
*/ ?>
*/ ?>
 
</nowiki>
</nowiki>
</pre>
</pre>
<small>Scriptlet:
<pre><nowiki>
cat > /usr/share/squirrelmail/config/ip_users.php <<'EOFile'
<? /*
obinda|0.0.0.0/0
bbaldassarre|192.169.22.0/24
cdilitta|192.169.22.0/24
*/ ?>
EOFile
</nowiki></pre></small>


ovvero:
ovvero:
Line 108: Line 308:


----
----
== Links ==  
== Links ==  


Latest revision as of 15:30, 11 February 2010

OBSOLETO

USARE IL PLUGIN ip_restrict:

E' possibile limitare l'uso di Squirrelmail 1.2.x a degli utenti elencati, specificando per ognuno la classe di ip da cui possono accedere.

(Procedura testata su Debian Sarge)

Plugin originale

Il Plugin originale permette di specificare un solo IP di provenienza per gli utenti, e non una classe di IP.

Homepage: http://www.squirrelmail.org/plugin_view.php?id=106

Prelevare il plugin ip_users e installarlo: 

cd /files/src
wget http://www.squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fip_users.1.1-1.2.x.tar.gz 
cd /usr/share/squirrelmail/plugins/
tar xvzf /files/src/ip_users.1.1-1.2.x.tar.gz

Sorgente del Plugin modificato

Debian Woody (Squirrelmail < 1.4)

Installare la versione modificata del plugin sovrascrivendo il file con questo:

/usr/share/squirrelmail/plugins/ip_users/setup.php 


<?php
/* Version 1.2 */

function squirrelmail_plugin_init_ip_users() {
   global $squirrelmail_plugin_hooks;
   global $login_username;

   $squirrelmail_plugin_hooks['login_verified']['ip_users'] = 'plugin_ip_users_login_verified';
}

function plugin_ip_users_login_verified() {

function IP_Match($network, $ip) {
   $ip_arr = explode("/",$network);
   $network_long=ip2long($ip_arr[0]);

   $mask_long= pow(2,32)-pow(2,(32-$ip_arr[1]));
   $ip_long=ip2long($ip);

   if (($ip_long & $mask_long) == $network_long) {
       return 1;
   } else {
       return 0;
   }
}

   global $squirrelmail_plugin_hooks;
   global $login_username;

   $valid_user=0;
   $file = fopen("../config/ip_users.php","r");
   for ($i=0; !feof($file); $i++) {
      $tmp = fgets($file, 1024);
      if (substr($tmp, 0, strpos($tmp, "|")) == "$login_username") {
         $valid_user=1;
         $rete=substr($tmp, strpos($tmp, "|")+1);
         $indirizzo=getenv("REMOTE_ADDR");
         if (IP_Match($rete,$indirizzo)) {
               $valid_user++;
         }
      }
   }
   fclose($file);
   if($valid_user!=2) {
      echo "<html><body bgcolor=\"ffffff\">\n";
        //      printf("Network:%s Address:%s\n<br>",$rete, $indirizzo);
        //      print("Network: $rete -  Address: $indirizzo \n<br>");
      error_username_password_incorrect();
      exit;
   }
}
?>

Scriptlet: 

cat > setup.php <<'EOFile'
<?php
/* Version 1.2 */

function squirrelmail_plugin_init_ip_users() {
   global $squirrelmail_plugin_hooks;
   global $login_username;

   $squirrelmail_plugin_hooks['login_verified']['ip_users'] = 'plugin_ip_users_login_verified';
}

function plugin_ip_users_login_verified() {

function IP_Match($network, $ip) {
   $ip_arr = explode("/",$network);
   $network_long=ip2long($ip_arr[0]);

   $mask_long= pow(2,32)-pow(2,(32-$ip_arr[1]));
   $ip_long=ip2long($ip);

   if (($ip_long & $mask_long) == $network_long) {
       return 1;
   } else {
       return 0;
   }
}

   global $squirrelmail_plugin_hooks;
   global $login_username;

   $valid_user=0;
   $file = fopen("../config/ip_users.php","r");
   for ($i=0; !feof($file); $i++) {
      $tmp = fgets($file, 1024);
      if (substr($tmp, 0, strpos($tmp, "|")) == "$login_username") {
         $valid_user=1;
         $rete=substr($tmp, strpos($tmp, "|")+1);
         $indirizzo=getenv("REMOTE_ADDR");
         if (IP_Match($rete,$indirizzo)) {
               $valid_user++;
         }
      }
   }
   fclose($file);
   if($valid_user!=2) {
      echo "<html><body bgcolor=\"ffffff\">\n";
        //      printf("Network:%s Address:%s\n<br>",$rete, $indirizzo);
        //      print("Network: $rete -  Address: $indirizzo \n<br>");
      error_username_password_incorrect();
      exit;
   }
}
?>
EOFile

Debian Sarge (Squirrelmail >= 1.4)

Installare la versione modificata del plugin sovrascrivendo il file con questo:

/usr/share/squirrelmail/plugins/ip_users/setup.php 


<?php
/* Version 1.3 */

function squirrelmail_plugin_init_ip_users() {
   global $squirrelmail_plugin_hooks;
   global $login_username;

   $squirrelmail_plugin_hooks['login_verified']['ip_users'] = 'plugin_ip_users_login_verified';
}

function plugin_ip_users_login_verified() {

function IP_Match($network, $ip) {
   $ip_arr = explode("/",$network);
   $network_long=ip2long($ip_arr[0]);

   $mask_long= pow(2,32)-pow(2,(32-$ip_arr[1]));
   $ip_long=ip2long($ip);

   if (($ip_long & $mask_long) == $network_long) {
       return 1;
   } else {
       return 0;
   }
}

   global $squirrelmail_plugin_hooks;
   global $login_username;

   $valid_user=0;
   $file = fopen("../config/ip_users.php","r");
   for ($i=0; !feof($file); $i++) {
      $tmp = fgets($file, 1024);
      if (substr($tmp, 0, strpos($tmp, "|")) == "$login_username") {
         $valid_user=1;
         $rete=substr($tmp, strpos($tmp, "|")+1);
         $indirizzo=getenv("REMOTE_ADDR");
         if (IP_Match($rete,$indirizzo)) {
               $valid_user++;
         }
      }
   }
   fclose($file);
   if($valid_user!=2) {
      echo "<html><body bgcolor=\"ffffff\">\n";
        //      printf("Network:%s Address:%s\n<br>",$rete, $indirizzo);
        //      print("Network: $rete -  Address: $indirizzo \n<br>");
      logout_error( _("Unknown user or password incorrect.") );
      exit;
   }
}
?>

Scriptlet: 

cat > setup.php <<'EOFile'
<?php
/* Version 1.3 */

function squirrelmail_plugin_init_ip_users() {
   global $squirrelmail_plugin_hooks;
   global $login_username;

   $squirrelmail_plugin_hooks['login_verified']['ip_users'] = 'plugin_ip_users_login_verified';
}

function plugin_ip_users_login_verified() {

function IP_Match($network, $ip) {
   $ip_arr = explode("/",$network);
   $network_long=ip2long($ip_arr[0]);

   $mask_long= pow(2,32)-pow(2,(32-$ip_arr[1]));
   $ip_long=ip2long($ip);

   if (($ip_long & $mask_long) == $network_long) {
       return 1;
   } else {
       return 0;
   }
}

   global $squirrelmail_plugin_hooks;
   global $login_username;

   $valid_user=0;
   $file = fopen("../config/ip_users.php","r");
   for ($i=0; !feof($file); $i++) {
      $tmp = fgets($file, 1024);
      if (substr($tmp, 0, strpos($tmp, "|")) == "$login_username") {
         $valid_user=1;
         $rete=substr($tmp, strpos($tmp, "|")+1);
         $indirizzo=getenv("REMOTE_ADDR");
         if (IP_Match($rete,$indirizzo)) {
               $valid_user++;
         }
      }
   }
   fclose($file);
   if($valid_user!=2) {
      echo "<html><body bgcolor=\"ffffff\">\n";
        //      printf("Network:%s Address:%s\n<br>",$rete, $indirizzo);
        //      print("Network: $rete -  Address: $indirizzo \n<br>");
      logout_error( _("Unknown user or password incorrect.") );
      exit;
   }
}
?>
EOFile

Attivazione del Plugin

Lanciare il programma di configurazione di Squirrelmail con: 

/etc/squirrelmail/conf.pl

Attivare il plugin dal menù "Plugin"

File di Configurazione

Creare il file:

/usr/share/squirrelmail/config/ip_users.php 


<? /*
obinda|0.0.0.0/0
bbaldassarre|192.169.22.0/24
cdilitta|192.169.22.0/24
*/ ?>

Scriptlet: 

cat > /usr/share/squirrelmail/config/ip_users.php <<'EOFile'
<? /*
obinda|0.0.0.0/0
bbaldassarre|192.169.22.0/24
cdilitta|192.169.22.0/24
*/ ?>
EOFile

ovvero: 

username_che_può_accedere|netmask_di_accesso_consentita

Indirizzi particolari

0.0.0.0/0 da dovunque
a.b.c.d/24 da un lan
a.b.c.d/32 da un ip soltanto

Se un utente O non è listato in questo file O non si collega da una rete consentita, viene visualizzato un errore di login.

Il Plugin originale che funziona solo da un ip: http://www.squirrelmail.org/plugin_view.php?id=106

Esempio per rilevare ip address locale o del proxy: http://www.php.net/getenv

I have an application where I want to track the remote address, and if that's not available, then the local address. (Sometimes it's over a network, and sometimes over the internet, and for security, some features should only be run over the local network.) I added some checking that should be redundant to get around a few weird situations I encountered, where addresses were set, but empty. 


 <?php
 $private_net_ip_masks = array( '10.0.0.', '192.168.', '127.0.0.', '172.16.0.' );
 if( isset($_SERVER['HTTP_X_FORWARDED_FOR']) && $_SERVER['HTTP_X_FORWARDED_FOR'] != '' )
 {
    $ipStrings = explode( ',',$_SERVER['HTTP_X_FORWARDED_FOR']);
    foreach($ipStrings as $k => $v)
    {
        if( empty($v) )
        {
            unset( $ipStrings[$k] );
        }
        else
        { // set the first one we find as the default.  Little dirty, but it works.
            if(!isset($ipString)) $ipString = $v;
        }
    }
 }
 if( isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] != '' )
 {
    $ipStrings[] = $_SERVER['REMOTE_ADDR'];
    if(!isset($ipString)) $ipString = $_SERVER['REMOTE_ADDR'];
 }
 foreach($ipStrings as $k1 => $ip)
 {
    foreach($private_net_ip_masks as $k2 => $pip)
    {
        if(strpos($ip, $pip) === 0)
        { // local ip
            unset($ipStrings[$k1]);
            break;
        }
    }
 }
 if( !empty($ipStrings) )
 {
    foreach( $ipStrings as $v )
    {
        if(!empty($v))
        {
            $ipString = $v;
            $is_local_ip = false;
            break;
        }
    }
 }
 else
 {
    $is_local_ip = true;
 }
 $ipArray = explode('.', $ipString);

 // Spit out the results
 foreach($ipStrings as $k => $v) echo '$ipStrings['.$k.'] = ' . $v . '<br />';
 echo "\$ipString = $ipString<br />";
 foreach($ipArray as $k => $v) echo '$ipArray['.$k.'] = ' . $v . '<br />';
 ?>
Retrieved from "https://kb.rvmgroup.it/index.php?title=Limitazione_utenti_in_base_ad_ip_address&oldid=6750"