You don't have permission to access / on this server.

mrcaveman

I think this is a question about, Apache, however I'm trying to control the server through php.

I want to make an admin script where I can control the access to my pages.

Is it possible to use php to restrict access by the visitors ip address??

If an organization/person with a static IP address that is not allowed to enter the page should get the following message:

Forbidden
You don't have permission to access / on this server.

Is it possible to control this access through adding the IP addresses that I would allow access to my page??

Is it possible to do this through a php script?!?

Do you know about an example on the net???

I have read a lot about banning IP addresses, but in my eyes, this is something else, since it should not ban, but allow one or a few IP addresses.

Thank you for your reply.

Kj.

dalecosp

Read through httpd.conf, the Apache server configuration file. What you desire is easily enough accomplished with deny,allow,
I believe.

In my mind, the hard part would be utilizing PHP to interface with it in this way.

I imagine there's a better way, or two, or three...I'm a known hack, so I'd advise more research on my option as well as others.

G'luck

dalecosp

Lime

If you're on a *nix server, this is really easy to do -- just use a .htaccess file.

You can find all sorts of information on how to use .htaccess on the net. Try Google. Specifically, you want it set up similar to the following:

AuthName "Restricted Area"
AuthType Basic
<limit GET, POST>
order deny, allow
deny from all
allow from whatever
</limit>

Just put the file in the directory you want protected. Any subsequent directories are also protected, unless you override it with a more specific .htaccess file deeper in the directory structure. You can use IP ranges, hostnames, pretty much anything for whatever. If you need to give access to more than one address, simply add a second allow statement after the first one.

--lime

jonsof

How can do that in Win98sec?

I would make a list with ip's which could view my page
Is it easy?

mrcaveman

I've been trough hell and back, with my nose in everything from books to the httpd.conf file. I actually found out about the .htaccess and tried it out. IT WORKED :-) And it was easy too!! However, thank you dalecosp for your tips, and thanks a lot Lime for the "answer".

For the rest of you, who want to know what I did;

I had to change the "AllowOverride" line in httpd.conf from "None" to "All". When I made a file and named it ".htaccess".

I wrote the following in the .htaccess file and uploaded it to my server in the folder I wanted to protect;

<Limit GET>
order deny,allow
deny from all
allow from 111.212.ip address you want to allow
</Limit>

The only problem is that most Apache hosts have configured the server to hide the .htaccess file. I'm using a FTP program to upload and change the files on the server and it is not possible to delete the .htaccess file with the FTP program I use. Any suggestions??

My next step is to use php script to alter the .htaccess file. This way I should be able to let the administrator of my webpage choose what IP addresses that can access the pages.

jonsof

i searched my http.conf and i found too many 'AllowOverride' set as None, so which one of these, is the right one?

What about if you are not the admin so you are not allowed to touch the apache files.

Have you got detailed info about that?

Thanks!!

mrcaveman

Hi jonsof.

I changed the AllowOverwite after the following info.

AllowOverride controls what directives may be placed in .htaccess files.

It can be "All", "None", or any combination of the keywords:

Options FileInfo AuthConfig Limit

AllowOverride All

I have solved the problem by making a table that lists the IP addresses (ip_allowed) I want to allow access. When I made a php file with the following code;

<?
include_once('/config/configurationfile.php');

$sql = "select * from ip_allowed";
$db_conn = db_connect();
$result = mysql_query($sql, $db_conn);

$htaccess = "\t"."AuthName \"Restricted Area\"
	AuthType Basic
	<Limit GET>
	order deny,allow
	deny from all
	allow from ";

while ($row = mysql_fetch_array($result)) 
{

$htaccess = $htaccess.$row[ip_addresse]." + ";

}

$htaccess = $htaccess."\n"."\t"."</Limit>";

$file = fopen(".htaccess", "w+");

fwrite($file, $htaccess);

fclose($file);

?>

This script writes a new .htaccess file to the choosen folder on the server.

If the Apache server allows you to use .htaccess and save files on the server, the person who is logged on as an administrator of the web page (not server) could insert ip addresses he/she allows to visit the page.

Going to bed now :-)

Kj.

jonsof

But if you have not the authority to change the AllowOverride value from None to All would have this worked?

and what about the

include_once('/config/configurationfile.php');

Is a previous written script by you?

jonsof

any ideas? 🙂

mrcaveman

configurationfile.php is where I have stored the information about the database as, host, user and password configurations.

I tried to change the AllowOverride back to None. It didn't work, so I changed i back to All again. I would guess AuthConfig also would have worked instead of All.

Maybe there is a function that could change parameters in the httpd.conf file as it is possible to change the php.ini with ini_set() function. I don't know.

Please reply if you (or anyone) know about a function like that.

jonsof

Will be wise to use the global variable $_SERVER[REMOTE_ADDR] in order to take the ip of each user and then authenticate it via a stored list in the database?