1

How would I setup Joomla to require or bypass authentication based on visitors IP address?

I would like to setup a Joomla website that requires visitors to login, unless they are visiting from a specific IP address or subnet.

Also, I would like the login to be LDAP based.

I would be hosting the Joomla site on my local network and exposing it via my router with port-forwarding.

Corey
  • 2,031
  • 12
  • 39
  • 54
  • 1
    Does the solution need to log your users in to Joomla, or is it good enough if it allows or denies them access to Joomla? What webserver are you using? – sciurus Sep 01 '11 at 18:31
  • 1
    Do you expect the web server to do authentication via HTTP, or did you want your application to do authentication via forms? If you go pure HTTP auth, then this should be pretty easy. – Zoredache Sep 02 '11 at 20:00
  • It does not need to log them into Joomla, just allow or deny access. I am currently using Apache. Can HTTP auth be done via HTTPS? – Corey Sep 07 '11 at 13:46

5 Answers5

2

I would like to setup a Joomla website that requires visitors to login, unless they are visiting from a specific IP address or subnet.

Create a Virtual Host for Joomla as belows:

<VirtualHost *:80>
    ServerName  joomla.yourdomain.com
    ServerAdmin ...
    DocumentRoot /var/www/html/joomla
    ErrorLog logs/joomla.error_log

    <Directory "/var/www/html/joomla">
        Options ...
        Order allow,deny
        Allow from 192.168.1.0/24
        Satisfy Any
    </Directory>
</VirtualHost>

Also, I would like the login to be LDAP based.

You can do it by using mod_authz_ldap, something like this:

LoadModule authz_ldap_module modules/mod_authz_ldap.so

<IfModule mod_authz_ldap.c>

   <Location /var/www/html/joomla>
       AuthBasicProvider ldap
       AuthzLDAPAuthoritative Off
       AuthLDAPURL ldap://IP:3268/dc=domain,dc=com?sAMAccountName
       AuthLDAPBindDN cn=binduser,dc=domain,dc=com
       AuthLDAPBindPassword secret
       AuthType Basic
       AuthName "Authorization required"
       require valid-user
       AuthzLDAPLogLevel debug
   </Location>

</IfModule>

Is HTTPS auth using LDAP (MS-AD) an option?

Yes.

quanta
  • 51,413
  • 19
  • 159
  • 217
  • Is it possible to have the login prompt done securely (over HTTPS) but host the site itself over normal HTTP? – Corey Sep 08 '11 at 13:17
  • As my understand, it is impossible. Either you force a redirect to https or you should do it at PHP code: login via https and redirect back to http after that. – quanta Sep 08 '11 at 15:15
1

Im not sure if this is what you are after but..

Another option is to change the .htaccess file to allow access by IP

<Limit GET>
    Order Deny,Allow
    Deny from all
    Allow from 100.100.100.100
</Limit>

Optional: You can add multiple addresses by separating them with comma's. 

100.100.100.101, 100.100.100.102
Rhys
  • 11
  • 1
1

The Apache documentation to look at is Access Control (the 'by host' section), Authentication, Authorization and Access Control (the 'satisfy' directive), mod_auth_basic, and mod_authnz_ldap. A sample configuration to do what you want is

AuthType Basic
AuthBasicProvider ldap
AuthName "Joomla"
# change the ldap attributes to what matches your environment
AuthLDAPBindDN "uid=example,ou=example,dc=example,dc=com"
AuthLDAPBindPassword example
AuthLDAPURL "ldap://example.com:port/basedn?attribute?scope?filter"
Order allow,deny
# change the ip to match your network that should not have to authenticate
Allow from 10.0.0.0/24
Satisfy any
sciurus
  • 12,678
  • 2
  • 31
  • 49
1

You might want to consider using .htaccess to simply put a username/password there, so unless they have the front-end password they can't get to the website at all.

Edward_178118
  • 955
  • 4
  • 15
  • 33
0

You should set up nginx as a proxying frontend. Nginx can do this using the following config directives:

auth_basic      "Restricted";
auth_basic_user_file  htpasswd;
satisfy any;
allow 10.0.0.0/24;
allow 10.1.0.0/24;
allow 10.2.1.1;
deny all;

This way you can bypass the authentication for IPs listed explicitly in allow and have the auth popup dialog for all other IPs.

Alex
  • 7,939
  • 6
  • 38
  • 52