webserver (nginx) security - maemo.org

badger | # 1 | 2008-01-07, 04:29 | Report

Hi Guys,

I am looking for some help. I have installed nginx and PHP to my n810 and configured a blog system which uses flatfiles as its db. This works perfectly and is being used as my diary for personal thoughts etc.

The issue I am facing is that if I am connected to a WLAN network it is possible for anyone on that network to access this blog by hitting the URL.

I can obviously create a PHP script which looks for the useragent and only displays the blog if its being hit from the device, this doenst allow me to access the blog form a pc if I wanted to...

Does the nginx httpd allow me to do anything special with regards to adding security to folders on the webserver?

I want to be able to password protect a folder if its not being accessed via the device itself...

I guess I will need to do this with php but wanted to know if there are any other options...

Thanks in advanced for your help.

badger

clach04 | # 2 | 2008-01-07, 04:37 | Report

Typically one can instruct the web server to bind to a specific IP address. If you bind to 127.0.0.1, it should only allow connections from that host. Binding to 0.0.0.0. usually allows any client/remote-machine to connect.

Hope that helps get you pointed in the right direction.

badger | # 3 | 2008-01-07, 05:54 | Report

Thanks for the responce - however, I wanted a little more flexability than locking down to IP, I connect to a lot of networks and do not always have the same IP.

My requirements where as follows:

Originally Posted by

Run a private php based blog on my n810, restrict access to the blog from any other machine on the network but when needed, have the ability to login and access the blog via a desktop web browser.

I created the following php script which provides me with just that functionality.

PHP Code:


			
<?php
$list = array("tablet browser");
 
// $list = array("tablet browser", "other", "value");
 
function searchValues($string, $matchesArray) {
  foreach($matchesArray as $currentTest) {
    if (strpos(strtolower($string), strtolower($currentTest)) !== false) {
     return true;
    }
  }
  return false;
}
 
$user_agent = $HTTP_SERVER_VARS["HTTP_USER_AGENT"];
 
if (searchValues($user_agent, $list)) {
    //  ------------------------------------------
    // on the tablet
    //  ------------------------------------------
    header( 'Location: /dir/name/file.php' );
    } else {
    //  ------------------------------------------
    // not on the tablet
    //  ------------------------------------------
    // Change guest & password to you chosen username & password
    if ( $PHP_AUTH_USER != "guest" || $PHP_AUTH_PW != "password" ) { 
    header('WWW-Authenticate: Basic realm="Protected Area"');
      header("HTTP/1.1 401 Unauthorized");
      echo "Failed to authenticate.";
      exit();
    } else {
    //  ------------------------------------------
    //  refresh / redirect to an internal web page
    //  ------------------------------------------
    header( 'refresh: 3; url=/dir/name/file.php' );
    echo "You are logged in successfully as: ".$PHP_AUTH_USER;
    echo "</br>";
    echo '<h1>You will be re-directed in 3 seconds...</h1>';
    } 
  }
?>

Save the above script as "detect.php" and place it within /var/www/ and then use a

PHP Code:


			
<?php include 'detect.php'; ?>

on all of the web pages you want to secure.

The script looks at the UserAgent and if it doesnt contain the words "tablet browser" it prompts for a username and password.

Please let me know your thoughts on this and post any alterations/improvements.

badger

Last edited by badger; 2008-01-07 at 05:57.

Khertan | # 4 | 2008-01-07, 12:08 | Report

127.0.0.1 is localhost ... so if u restrain to this ip ... your device can connect to it every time ... and only your device.

The Following User Says Thank You to Khertan For This Useful Post:

EIPI | # 5 | 2008-01-07, 13:09 | Report

How about using iptables? I just checked, and there is a 'man' page on it on my N800 running OS2008. I do not think there is a GUI front end ported, that I know of. But it can be configured from the command line.

EDIT - I just thought about your situation further. If you are on a network that is not yours, then web traffic can only go to your tablet's http server if someone on that network types in your DHCP reserved IP into their web browser. They cannot access your server's information if they know the URL, since the network that you are connected to cannot direct web traffic to your server.

Last edited by EIPI; 2008-01-07 at 13:57.