Limitazione utenti in base ad ip address

From RVM Wiki
Jump to navigation Jump to search

E' possibile limitare l'uso di Squirrelmail 1.2.x a degli utenti elencati, specificando per ognuno la classe di ip da cui possono accedere.

(Procedura testata su RH8)

Plugin originale

Il Plugin originale permette di specificare un solo IP di provenienza per gli utenti, e non una classe di IP.

Homepage: http://www.squirrelmail.org/plugin_view.php?id=106

Prelevare il plugin ip_users e installarlo: 

cd /files/src
wget http://www.squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fip_users.1.1-1.2.x.tar.gz 
cd /usr/share/squirrelmail/plugins/
tar xvzf /files/src/ip_users.1.1-1.2.x.tar.gz

Sorgente del Plugin modificato

Installare la versione modificata del plugin sovrascrivendo il file con questo:

/usr/share/squirrelmail/plugins/ip_users/setup.php 


<?php
/* Version 1.1 */

function squirrelmail_plugin_init_ip_users() {
   global $squirrelmail_plugin_hooks;
   global $login_username;

   $squirrelmail_plugin_hooks['login_verified']['ip_users'] = 'plugin_ip_users_login_verified';
}

function plugin_ip_users_login_verified() {

function IP_Match($network, $ip) {
   $ip_arr = explode("/",$network);
   $network_long=ip2long($ip_arr[0]);

   $mask_long= pow(2,32)-pow(2,(32-$ip_arr[1]));
   $ip_long=ip2long($ip);

   if (($ip_long & $mask_long) == $network_long) {
       return 1;
   } else {
       return 0;
   }
}

   global $squirrelmail_plugin_hooks;
   global $login_username;

   $valid_user=0;
   $file = fopen("../config/ip_users.php","r");
   for ($i=0; !feof($file); $i++) {
      $tmp = fgets($file, 1024);
      if (substr($tmp, 0, strpos($tmp, "|")) == "$login_username") {
         $valid_user=1;
         $rete=substr($tmp, strpos($tmp, "|")+1);
         $indirizzo=getenv("REMOTE_ADDR");
         if (IP_Match($rete,$indirizzo)) {
               $valid_user++;
         }
      }
   }
   fclose($file);
   if($valid_user!=2) {
      echo "<html><body bgcolor=\"ffffff\">\n";
        //      printf("Network:%s Address:%s\n<br>",$rete, $indirizzo);
        //      print("Network: $rete -  Address: $indirizzo \n<br>");
      error_username_password_incorrect();
      exit;
   }
}
?>

File di Configurazione

Creare il file:

/usr/share/squirrelmail/config/ip_users.php 


<? /*
obinda|0.0.0.0/0
bbaldassarre|192.169.22.0/24
cdilitta|192.169.22.0/24
*/ ?>

Scriptlet: 

cat > /usr/share/squirrelmail/config/ip_users.php <<'EOFile'
<? /*
obinda|0.0.0.0/0
bbaldassarre|192.169.22.0/24
cdilitta|192.169.22.0/24
*/ ?>
EOFile

ovvero: 

username_che_può_accedere|netmask_di_accesso_consentita

Indirizzi particolari

0.0.0.0/0 da dovunque
a.b.c.d/24 da un lan
a.b.c.d/32 da un ip soltanto

Se un utente O non è listato in questo file O non si collega da una rete consentita, viene visualizzato un errore di login.

Il Plugin originale che funziona solo da un ip: http://www.squirrelmail.org/plugin_view.php?id=106

Esempio per rilevare ip address locale o del proxy: http://www.php.net/getenv

I have an application where I want to track the remote address, and if that's not available, then the local address. (Sometimes it's over a network, and sometimes over the internet, and for security, some features should only be run over the local network.) I added some checking that should be redundant to get around a few weird situations I encountered, where addresses were set, but empty. 


 <?php
 $private_net_ip_masks = array( '10.0.0.', '192.168.', '127.0.0.', '172.16.0.' );
 if( isset($_SERVER['HTTP_X_FORWARDED_FOR']) && $_SERVER['HTTP_X_FORWARDED_FOR'] != '' )
 {
    $ipStrings = explode( ',',$_SERVER['HTTP_X_FORWARDED_FOR']);
    foreach($ipStrings as $k => $v)
    {
        if( empty($v) )
        {
            unset( $ipStrings[$k] );
        }
        else
        { // set the first one we find as the default.  Little dirty, but it works.
            if(!isset($ipString)) $ipString = $v;
        }
    }
 }
 if( isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] != '' )
 {
    $ipStrings[] = $_SERVER['REMOTE_ADDR'];
    if(!isset($ipString)) $ipString = $_SERVER['REMOTE_ADDR'];
 }
 foreach($ipStrings as $k1 => $ip)
 {
    foreach($private_net_ip_masks as $k2 => $pip)
    {
        if(strpos($ip, $pip) === 0)
        { // local ip
            unset($ipStrings[$k1]);
            break;
        }
    }
 }
 if( !empty($ipStrings) )
 {
    foreach( $ipStrings as $v )
    {
        if(!empty($v))
        {
            $ipString = $v;
            $is_local_ip = false;
            break;
        }
    }
 }
 else
 {
    $is_local_ip = true;
 }
 $ipArray = explode('.', $ipString);

 // Spit out the results
 foreach($ipStrings as $k => $v) echo '$ipStrings['.$k.'] = ' . $v . '<br />';
 echo "\$ipString = $ipString<br />";
 foreach($ipArray as $k => $v) echo '$ipArray['.$k.'] = ' . $v . '<br />';
 ?>
Retrieved from "https://kb.rvmgroup.it/index.php?title=Limitazione_utenti_in_base_ad_ip_address&oldid=18"