It might be nice to be able to whitelist certain IP's from the basic authentication.

Use cases:

  • Allow access from your own ip without the password questions
  • When using the Web-based 'Cron method' in a master slave Aegir setup we have to allow the originating hostmaster server access.
CommentFileSizeAuthor
#13 whitelist_ip_s_for-2812853-13.patch7.82 KBhelmo
#11 whitelist_ip_s_for-2812853-11.patch8.23 KBhelmo
#2 whitelist_ip_s_for-2812853-2.patch7.02 KBhelmo
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

helmo created an issue. See original summary.

helmo’s picture

helmo CreditAttribution: helmo as a volunteer and at Initfour websolutions for Aegir Cooperative commented
Status: Active » Needs review
FileSize
whitelist_ip_s_for-2812853-2.patch7.02 KB

Here's a draft which basically works for apache. It needs a few extra lines for nginx ....

helmo’s picture

helmo CreditAttribution: helmo as a volunteer and at Initfour websolutions for Aegir Cooperative commented
Assigned: Unassigned » colan
Issue summary: View changes

@colan: Is this easy to to in nginx?

colan’s picture

colan
he/him
Primary language English
Location Toronto 🇨🇦
CreditAttribution: colan at Colan Schwartz Consulting for Aegir Cooperative commented

I haven't had the need to set this up yet, but it looks like it can be done as per Restricting Access with HTTP Basic Authentication.

milovan’s picture

milovan CreditAttribution: milovan commented

Great patch, works as expected (on Apache)! Little request if possible, add to description also that adding multiple ip addresses should be separated with one blank space.
Other than that, awesome job, thank you.

milovan’s picture

milovan CreditAttribution: milovan commented

Not to be picky, but I stumbled on one "design" issue. I wanted to protect local development server, but to allow everyone in local (IP 192.168.1.*) to access site without typing in credentials. So, I tried to use * for wildcard, but that didn't work. When I tried to enter IP addresses of developers' computers, I was faced with field limitation of total characters (around 15 IP addresses can sit in 255 character limit).

Is it possible to either add support for wildcard, or maybe make a list of IP fields (like on server tab)? Or if I am doing something wrong, to please let me know how to achieve it.
Thanks!

helmo’s picture

helmo CreditAttribution: helmo as a volunteer and at Initfour websolutions for Aegir Cooperative commented

192.168.1.0/24 should work in your case.

Have a look at the examples from apache on https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html#allow for more options.

milovan’s picture

milovan CreditAttribution: milovan commented

Thanks for the link, that did a trick! All works now, as far as I am concerned, "Tested and Approved"!

helmo’s picture

helmo CreditAttribution: helmo as a volunteer and at Initfour websolutions for Aegir Cooperative commented

We could add a small check in the UI to only enable this for Apache installations until the nginx backend is done.

We have `protected $application_name == apache|nginx` in those objects ... but why is it protected?

helmo’s picture

helmo CreditAttribution: helmo as a volunteer and at Initfour websolutions for Aegir Cooperative commented

Found this while chattign with ergonlogic in irc
drush php-eval "print_r(d('@server_master')->service('http')->config_data()['application_name']);

helmo’s picture

helmo CreditAttribution: helmo as a volunteer and at Initfour websolutions for Aegir Cooperative commented
FileSize
whitelist_ip_s_for-2812853-11.patch8.23 KB

I've added the check for apache and also a validation hook to limit the input a bit

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
CreditAttribution: ergonlogic at Ergon Logic Enterprises for Aegir Cooperative commented
Status: Needs review » Needs work

A few minor style regressions appear to have found their may into the latest patch:

 /**
- * Implements hook_update_N().
+ * implements hook_update_n().
  *
- * Add the message field to the table.
+ * add the message field to the table.
  */
 function hosting_http_basic_auth_update_6100() {
   $ret = array();
 
   $field['message'] = array(
     'type' => 'text',
-    'not null' => TRUE,
+    'not null' => true,
   );
helmo’s picture

helmo CreditAttribution: helmo as a volunteer and at Initfour websolutions for Aegir Cooperative commented
Status: Needs work » Needs review
FileSize
whitelist_ip_s_for-2812853-13.patch7.82 KB

Hmm, that already was in my patch from #2 :( ... now it's gone.

  • helmo committed 40c1b2a on 7.x-3.x 
    Issue #2812853 by helmo: whitelist IP's for basic auth (Apache only for...
helmo’s picture

helmo CreditAttribution: helmo as a volunteer and at Initfour websolutions for Aegir Cooperative commented
Status: Needs review » Fixed

committed.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.