Password access for Intranet Web site

There is probably a better more secure way than this but it's how I would probably approach it:$accesslevel = $_SERVER['REMOTE_ADDR'];if (preg_match("/local.ip.address.goes.here/",$accesslevel)) { header('Location: http://www.yourintranet.com/trusted.php');} else { header('Location: http://www.yourintranet.com/passwordprotected.php');};

If there is data on your intranet that you want/need to keep private, don't connect it directly to the public internet, even with a password wall, you're opening yourself up to trouble. If your users really need access to it remotely, look into providing them with VPN access to your internal network, where they'll be able to hit the intranet through the same mechanism that they hit it already. OpenVPN is one Open/Free method of doing this across multiple platforms, though the setup of it requires more than a passing understanding of networking in general and your network layout in particular. (Though, this may be a good thing... the security implications of a badly configured VPN can be staggering) There are other options for providing VPN access, with varing levels of free-ness and ease of setup.

Hi Yes, it is Apache on Linux. I was wondering if twistedonion's idea needs another php file to authenticated the user - which I do not have. Is there any way of doing it with .htaccess? Thx again, BB

Apache has an excellent doc on its authentication mechanisms http://httpd.apache.org/docs/2.0/howto/auth.html. While I have not set up the specific configuration you're looking for, I'm pretty sure you can combine some 'Allow', 'Deny', and the 'AuthXXX' directives, most likely in a Location block for your webroot (i.e. <Location "/">), in order to force HTTP auth for people outside your network.

Ooh, here we go, a way to combine password and IP based authentication: http://httpd.apache.org/docs/2.0/mod/core.html#satisfy (found via the http://httpd.apache.org/docs/2.0/mod/mod_access.html page. The example given on the Satisfy page is exactly what you want--it lets you specify that users can either auth with HTTP Auth, or by requesting from a specific IP or hostname range.

What type of firewall is your company/site using? Depending on the product, this can be easily accomplished with no change to your website's code. What toxic says is true, however. If you have data you don't want to the world to see, don't allow the world to even get to the front door.

Hi Yes, it is Apache on Linux. I was wondering if twistedonion's idea needs another php file to authenticated the user - which I do not have. Is there any way of doing it with .htaccess? Thx again, BB It would require you to place that code at the top of index.php or whatever your root page is on the site. Not sure how this would integrate with Mambo tho... a static content page that requires a password and then redirects to the homepage would be workable but very messy I guess. cyrusdogstar has the perfect solution imo

Thinking about it for 10 seconds Im more inclined to agree with pmbuko and toxic.... if it's only for internal staff to see at home etc i wouldn't open it to the www. Use vpn Mambo can be quite insecure.

Not sure how this would integrate with Mambo tho... a static content page that requires a password and then redirects to the homepage would be workable but very messy I guess. And horribly insecure. Don't assume that users always enter the site at the same page. What happens when I bookmark a deep link (a page on your intranet that isn't the front door -- say the page that has all the home and emergency contact phone numbers for your employees)? Right. I go to the bookmarked page, bypassing your static content/password page entirely. What happens when I then sign up to a social bookmark site, and inadvertantly publish that bookmark when I choose to export all of my bookmarks to the social site? Right... a search engine finds it, and starts crawling your intranet. And now everyone's home phone number is just a google search away. In my office, this is a fireable offense. (As well it should be.) If you absolutely must do this, here's how to do it in .htaccess with Satisfy: AuthUserFile /somewhere/.htpassword AuthName 'Private Website' AuthType Basic require valid-user allow from 10.20.30 Satisfy Any This will allow users from 10.20.30.0/24 to access the site without a password, and users from other networks to access it if they have a username/password in /somewhere/.htpassword (managed with htpasswd, which ships with apache). ("Satisfy Any" is telling apache to accept either the require statement or the allow statement as acceptable to grant access. The default is Satisfy All, which would require both) You probably should be doing this across a secured connection (https/SSL), because the auth data is sent in the clear, and your users will use the same password for the intranet as for their other work accounts, no matter how many times you tell them not to. Also make SURE that .htpassword is somewhere that isn't in the document root... but you knew that, right? bright77blue, I know that you mean well, and I'm sure that you've been asked to do this by someone with much more authority who doesn't want to spend any money to do it, but it's a really bad idea, and it could very easily come back to bite your company and you personally in the ass. Again, I urge you to do this via VPN. Securing private data is not something to be taken lightly, and once data is leaked, it's out -- you'll never be able to put it back in again. Hope that's something that you, your bosses, and everyone with data on that intranet is comfortable with.