php-general Digest 12 Sep 2010 20:34:28 -0000 Issue 6937
Topics (messages 307973 through 307995):
Re: How to handle a submitted form with no changes -- best practices sought
307973 by: Tamara Temple
307974 by: Tamara Temple
307977 by: Shawn McKenzie
307995 by: Robert Cummings
Re: Disabling an extension on a perdir basis.
307975 by: Richard Quadling
307976 by: David Robley
1984 (Big Brother)
307978 by: tedd
307979 by: Joshua Kehn
307980 by: Ashley Sheridan
307981 by: Per Jessen
Re: Standalone WebServer for PHP
307982 by: tedd
307983 by: Ashley Sheridan
307984 by: Andy McKenzie
307985 by: tedd
307986 by: Joshua Kehn
307987 by: tedd
307988 by: Jason Pruim
307989 by: tedd
307990 by: tedd
307991 by: viraj
307992 by: Ashley Sheridan
307993 by: viraj
307994 by: Andy McKenzie
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
On Sep 11, 2010, at 10:46 PM, Shawn McKenzie wrote:
It could however be a problem if there is a BOT or something that
continually submits to your page. In that case (and in general) I
would
recommend using a form token that helps guard against this.
I've seen this on some sites, but I'm unclear how to implement this.
How is this generally done?
Thanks,
Tamara
--- End Message ---
--- Begin Message ---
On Sep 11, 2010, at 9:27 PM, viraj wrote:
On Sat, Sep 11, 2010 at 10:22 PM, Tamara Temple <tamouse.li...@gmail.com
> wrote:
I have a general question and am looking for best practices.
Is it worth the overhead of passing along the previous values in
the table
in hidden fields so that fields can be checked to see if they've been
without storing all the values in respective hidden fields, calculate
a 'checksum' on data and store in one hidden field. after the submit
and before you decide on the update, you can calculate the checksum of
submitted data, compare against the hidden field checksum and take the
decision.
if you maintain a session, storing checksum in session instead of
client side (hidden field in form) will be more safe/secure and will
help in improving the mechanism (persistent classes, serialized data
etc)
Ah, interesting idea, I hadn't thought of that as an option. Yes, it
makes sense.
Also makes sense to store it in a session variable instead of on the
form.
Thanks,
Tamara
--- End Message ---
--- Begin Message ---
On 09/12/2010 02:38 AM, Tamara Temple wrote:
>
> On Sep 11, 2010, at 10:46 PM, Shawn McKenzie wrote:
>> It could however be a problem if there is a BOT or something that
>> continually submits to your page. In that case (and in general) I would
>> recommend using a form token that helps guard against this.
>
> I've seen this on some sites, but I'm unclear how to implement this.
> How is this generally done?
>
> Thanks,
> Tamara
>
You generate a token before you display the form, something like:
$token = md5(uniqid(rand(), TRUE)); Then stick this in a session var
and add it as a hidden input on your form.
Then on the receiving page check that the session token matches the
posted token.
viraj's idea sounds cool for your particular problem as well.
--
Thanks!
-Shawn
http://www.spidean.com
--- End Message ---
--- Begin Message ---
On 10-09-11 12:52 PM, Tamara Temple wrote:
I have a general question and am looking for best practices.
Suppose I present a user with a form for editing an entry in a table,
i.e., the form has filled in values from the existing table entry.
Now, suppose they click on 'submit' without making any changes in the
form. (Perhaps, say, rather than clicking 'Cancel' or 'Return to Main'
or some other option which would get them out of that screen without
submitting the form).
Is it worth the overhead of passing along the previous values in the
table in hidden fields so that fields can be checked to see if they've
been updated or not after the submit? Or is it worth reloading the old
values from the table to check against the newly submitted form? Or is
all that overhead not worth the time because an update that overwrites
existing values with the same values is not that onerous?
(Is that question clear enough?)
I use database table to object mapping classes. The base class sets a
dirty bit if a field actually changes. If an attempt is made to save the
data and no dirty bits are set, then the save method returns true for a
successful save, but no commit to database is made since nothing has
changed. In this way I never think about the problem beyond the original
implementation of the base class.
Cheers,
Rob.
--
E-Mail Disclaimer: Information contained in this message and any
attached documents is considered confidential and legally protected.
This message is intended solely for the addressee(s). Disclosure,
copying, and distribution are prohibited unless authorized.
--- End Message ---
--- Begin Message ---
On 11 September 2010 20:24, Jim Lucas <li...@cmsws.com> wrote:
> As I thought, looking through the docs, it looks like the only way to set
> the options that are only settable via the php.ini file is to use a per
> directory php.ini file. But, the problem with that is, it only works with
> the CGI/FASTCGI SAPI version of php. It won't work with the apache mod
> version.
>
> So, I guess the question back to you is, what is your setup like? And if it
> isn't CGI/FASTCGI SAPI are you willing to change to that setup?
>
> Read More: http://www.php.net/manual/en/configuration.file.per-user.php
Thanks for that. FastCGI. Will do some more work on it now.
--
Richard Quadling
Twitter : EE : Zend
@RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY
--- End Message ---
--- Begin Message ---
Richard Quadling wrote:
> On 11 September 2010 20:24, Jim Lucas <li...@cmsws.com> wrote:
>> As I thought, looking through the docs, it looks like the only way to set
>> the options that are only settable via the php.ini file is to use a per
>> directory php.ini file. But, the problem with that is, it only works
>> with the CGI/FASTCGI SAPI version of php. It won't work with the apache
>> mod version.
>>
>> So, I guess the question back to you is, what is your setup like? And if
>> it isn't CGI/FASTCGI SAPI are you willing to change to that setup?
>>
>> Read More: http://www.php.net/manual/en/configuration.file.per-user.php
>
> Thanks for that. FastCGI. Will do some more work on it now.
>
>
If you are wanting to disable parsing of php files on a per-directory basis,
you can do this via .htaccess using
php_flag engine 1|0 (or on|off if you prefer)
http://php.net/manual/en/apache.configuration.php#ini.engine Rather well
hidden - took me a few minutes to dig it out :-)
Cheers
--
David Robley
If you would know a man, observe how he treats a cat.
Today is Setting Orange, the 36th day of Bureaucracy in the YOLD 3176.
--- End Message ---
--- Begin Message ---
Hi gang:
I have a client who wants his employees' access to their online
business database restricted to only times when he is logged on.
(Don't ask why)
In other words, when the boss is not logged on, then his employees
cannot access the business database in any fashion whatsoever
including checking to see if the boss is logged on, or not. No access
whatsoever!
Normally, I would just set up a field in the database and have that
set to "yes" or "no" as to if the employees could access the
database, or not. But in this case, the boss does not want even that
type of access to the database permitted. Repeat -- No access
whatsoever!
I was thinking of the boss' script writing to a file that
accomplished the "yes" or "no" thing, but if the boss did not log off
properly then the file would remain in the "yes" state allowing
employees undesired access. That would not be acceptable.
So, what methods would you suggest?
Cheers,
tedd
--
-------
http://sperling.com/
--- End Message ---
--- Begin Message ---
Tedd-
Would he consider access to another database? I.e. a separate, say memcached db
which stores the "boss" status?
An issue with the temporary file would also be session length, if the session
expires without the user explicitly logging off, the file wouldn't be removed.
A way to bypass this would be to add some sort of session expiration header to
the file and update that.
And couldn't you make a simple check if the boss is logged in or not by the
ability to access the database?
Regards,
-Josh
____________________________________
Joshua Kehn | josh.k...@gmail.com
http://joshuakehn.com
On Sep 12, 2010, at 12:32 PM, tedd wrote:
> Hi gang:
>
> I have a client who wants his employees' access to their online business
> database restricted to only times when he is logged on. (Don't ask why)
>
> In other words, when the boss is not logged on, then his employees cannot
> access the business database in any fashion whatsoever including checking to
> see if the boss is logged on, or not. No access whatsoever!
>
> Normally, I would just set up a field in the database and have that set to
> "yes" or "no" as to if the employees could access the database, or not. But
> in this case, the boss does not want even that type of access to the database
> permitted. Repeat -- No access whatsoever!
>
> I was thinking of the boss' script writing to a file that accomplished the
> "yes" or "no" thing, but if the boss did not log off properly then the file
> would remain in the "yes" state allowing employees undesired access. That
> would not be acceptable.
>
> So, what methods would you suggest?
>
> Cheers,
>
> tedd
>
> --
> -------
> http://sperling.com/
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--- End Message ---
--- Begin Message ---
On Sun, 2010-09-12 at 12:32 -0400, tedd wrote:
> Hi gang:
>
> I have a client who wants his employees' access to their online
> business database restricted to only times when he is logged on.
> (Don't ask why)
>
> In other words, when the boss is not logged on, then his employees
> cannot access the business database in any fashion whatsoever
> including checking to see if the boss is logged on, or not. No access
> whatsoever!
>
> Normally, I would just set up a field in the database and have that
> set to "yes" or "no" as to if the employees could access the
> database, or not. But in this case, the boss does not want even that
> type of access to the database permitted. Repeat -- No access
> whatsoever!
>
> I was thinking of the boss' script writing to a file that
> accomplished the "yes" or "no" thing, but if the boss did not log off
> properly then the file would remain in the "yes" state allowing
> employees undesired access. That would not be acceptable.
>
> So, what methods would you suggest?
>
> Cheers,
>
> tedd
>
> --
> -------
> http://sperling.com/
>
What about using the timestamp of that file as well? Then have the
boss's login update the file periodically, and the employees can only
access if the file exists and is of a certain age or newer. That should
solve the easiest problem, although you still are left with the issue of
the boss...
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
tedd wrote:
> Hi gang:
>
> I have a client who wants his employees' access to their online
> business database restricted to only times when he is logged on.
> (Don't ask why)
>
> In other words, when the boss is not logged on, then his employees
> cannot access the business database in any fashion whatsoever
> including checking to see if the boss is logged on, or not. No access
> whatsoever!
>
> Normally, I would just set up a field in the database and have that
> set to "yes" or "no" as to if the employees could access the
> database, or not. But in this case, the boss does not want even that
> type of access to the database permitted. Repeat -- No access
> whatsoever!
>
> I was thinking of the boss' script writing to a file that
> accomplished the "yes" or "no" thing, but if the boss did not log off
> properly then the file would remain in the "yes" state allowing
> employees undesired access. That would not be acceptable.
>
> So, what methods would you suggest?
I would ask the boss to confirm his presence maybe once an hour and only
allow employees access when the last such confirmation is less than an
hour old.
--
Per Jessen, Zürich (21.4°C)
--- End Message ---
--- Begin Message ---
At 4:42 PM -0400 9/10/10, Daniel Brown wrote:
On Fri, Sep 10, 2010 at 16:37, Steve Staples <sstap...@mnsi.net> wrote:
Ok, here it goes...
> I am building an app, that requires a web interface.
-snip-
> i want to be able to run it on like port 8880 or something... just
looking out there fro something...
I had written one about two years ago for a project, but the code
belongs to the client company, so it won't make it to open source.
However, not only can it be done, but there's even some in existence.
Check this one out:
http://nanoweb.si.kz/
I've never used it myself, but it may be worth a shot for you.
--
</Daniel P. Brown>
A question, to clarify my fuzzy thinking about such things:
Can a business have a server connected to the Internet but limit
access to just their employees? I don't mean a password protected
scheme, but rather the server being totally closed to the outside
world other than to their internal employees? Or is this something
that can only be provided by a LAN with no Internet connection?
Cheers,
tedd
--
-------
http://sperling.com/
--- End Message ---
--- Begin Message ---
On Sun, 2010-09-12 at 12:55 -0400, tedd wrote:
> At 4:42 PM -0400 9/10/10, Daniel Brown wrote:
> >On Fri, Sep 10, 2010 at 16:37, Steve Staples <sstap...@mnsi.net> wrote:
> >> Ok, here it goes...
> >>
> > > I am building an app, that requires a web interface.
>
> -snip-
>
> > > i want to be able to run it on like port 8880 or something... just
> >> looking out there fro something...
> >
> > I had written one about two years ago for a project, but the code
> >belongs to the client company, so it won't make it to open source.
> >However, not only can it be done, but there's even some in existence.
> >Check this one out:
> >
> > http://nanoweb.si.kz/
> >
> > I've never used it myself, but it may be worth a shot for you.
> >--
> ></Daniel P. Brown>
>
> A question, to clarify my fuzzy thinking about such things:
>
> Can a business have a server connected to the Internet but limit
> access to just their employees? I don't mean a password protected
> scheme, but rather the server being totally closed to the outside
> world other than to their internal employees? Or is this something
> that can only be provided by a LAN with no Internet connection?
>
> Cheers,
>
> tedd
>
> --
> -------
> http://sperling.com/
>
Not entirely sure what you're asking, but could you maybe achieve
something like this with a WAN using a VPN?
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
>
> A question, to clarify my fuzzy thinking about such things:
>
> Can a business have a server connected to the Internet but limit access to
> just their employees? I don't mean a password protected scheme, but rather
> the server being totally closed to the outside world other than to their
> internal employees? Or is this something that can only be provided by a LAN
> with no Internet connection?
>
> Cheers,
>
> tedd
Hey, one I can answer!
The short answer is "Yes". It can be done in a firewall: for
instance, take the following network setups.
1) Internal machines on a single range (10.10.0.1-10.10.0-254),
gateway machine at 10.10.0.1, web server at 10.10.0.2.
In this situation, the gateway passes traffic web traffic from
outside to 10.10.0.2/80 (destination NATing, in linux's iptables), and
traffic from inside to 10.10.0.2/8880. There's no reasonable way for
outside traffic to reach the web server, but the web server can still
reach the outside world. If you don't want to have ANYONE outside the
private network reach the web server, you can eliminate the dnat rule
so port 80 traffic isn't forwarded. If the employees need access from
outside, a VPN would work best, as Ash suggested, but there are other
options. The catch is that you need to either use virtual hosts,
which brings one set of problems, or two pieces of web-server software
(two instances of apache, for instance), which brings a different set
of problems.
2) All systems on publicly reachable addresses
(230.54.8.0-230.54.8.254, to pick at random). The web server is at
230.54.8.2, there is no gateway. The firewall here needs to be on the
web server, since there is no gateway, and it only allows port 8880
traffic in if it's from the range 230.54.8.0/24. Again, if no
external access is necessary, it can be simplified somewhat.
In either instance, employees with permanent IP addresses at home can
be allowed in via the firewall.
-Alex
3)
--- End Message ---
--- Begin Message ---
At 5:57 PM +0100 9/12/10, Ashley Sheridan wrote:
On Sun, 2010-09-12 at 12:55 -0400, tedd wrote:
Can a business have a server connected to the Internet but limit
access to just their employees? I don't mean a password protected
scheme, but rather the server being totally closed to the outside
world other than to their internal employees? Or is this something
that can only be provided by a LAN with no Internet connection?
Not entirely sure what you're asking, but could you maybe achieve
something like this with a WAN using a VPN?
Thanks,
Ash
Ash:
I'm sure this is an obvious question for many on this list, but I'm
not above showing my ignorance.
I guess what I am asking -- if a client wanted an application written
(in web languages) so that their employees could link all their
different computers together and share/use information using
browsers, is that possible using a server that is not connected to
the Internet?
Look, I know that I can solve my clients problems by finding a host
and writing scripts to do what they want -- that's not a problem. But
everything I do is open to the world. Sure I can provide some level
of security, but nothing like the security that can be provided
behind closed and locked doors.
So, can I do what I do (i.e., programming) without having a host? Can
I install a local server at my clients location and interface all
their computers to use the server without them ever being connected
to the Internet?
Maybe I should ask my grandson. :-)
Cheers,
tedd
--
-------
http://sperling.com/
--- End Message ---
--- Begin Message ---
On Sep 12, 2010, at 1:33 PM, tedd wrote:
> At 5:57 PM +0100 9/12/10, Ashley Sheridan wrote:
>> On Sun, 2010-09-12 at 12:55 -0400, tedd wrote:
>>
>>> Can a business have a server connected to the Internet but limit
>>> access to just their employees? I don't mean a password protected
>>> scheme, but rather the server being totally closed to the outside
>>> world other than to their internal employees? Or is this something
>>> that can only be provided by a LAN with no Internet connection?
>>>
>>
>> Not entirely sure what you're asking, but could you maybe achieve something
>> like this with a WAN using a VPN?
>>
>> Thanks,
>> Ash
>
> Ash:
>
> I'm sure this is an obvious question for many on this list, but I'm not above
> showing my ignorance.
>
> I guess what I am asking -- if a client wanted an application written (in web
> languages) so that their employees could link all their different computers
> together and share/use information using browsers, is that possible using a
> server that is not connected to the Internet?
>
> Look, I know that I can solve my clients problems by finding a host and
> writing scripts to do what they want -- that's not a problem. But everything
> I do is open to the world. Sure I can provide some level of security, but
> nothing like the security that can be provided behind closed and locked doors.
>
> So, can I do what I do (i.e., programming) without having a host? Can I
> install a local server at my clients location and interface all their
> computers to use the server without them ever being connected to the Internet?
>
> Maybe I should ask my grandson. :-)
>
> Cheers,
>
> tedd
>
> --
> -------
> http://sperling.com/
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
Tedd-
What do you mean "without ever being connected to the internet?" That statement
throws me a bit because if it isn't connected to the public net the only
alternative would be to run hard lines between hosts.
Regards,
-Josh
____________________________________
Joshua Kehn | josh.k...@gmail.com
http://joshuakehn.com
--- End Message ---
--- Begin Message ---
At 1:40 PM -0400 9/12/10, Joshua Kehn wrote:
On Sep 12, 2010, at 1:33 PM, tedd wrote:
> So, can I do what I do (i.e., programming) without having a host?
Can I install a local server at my clients location and interface
all their computers to use the server without them ever being
connected to the Internet?
Tedd-
What do you mean "without ever being connected to the internet?"
That statement throws me a bit because if it isn't connected to the
public net the only alternative would be to run hard lines between
hosts.
Regards,
-Josh
-Josh:
Yes, to connect the physically local computers together via hard
lines (Ethernet) or via a router.
But in my above context "closed to the Internet" would mean no
outside connection.
Cheers,
tedd
--
-------
http://sperling.com/
--- End Message ---
--- Begin Message ---
On Sep 12, 2010, at 1:33 PM, tedd wrote:
At 5:57 PM +0100 9/12/10, Ashley Sheridan wrote:
On Sun, 2010-09-12 at 12:55 -0400, tedd wrote:
Can a business have a server connected to the Internet but limit
access to just their employees? I don't mean a password protected
scheme, but rather the server being totally closed to the outside
world other than to their internal employees? Or is this something
that can only be provided by a LAN with no Internet connection?
Not entirely sure what you're asking, but could you maybe achieve
something like this with a WAN using a VPN?
Thanks,
Ash
Ash:
I'm sure this is an obvious question for many on this list, but I'm
not above showing my ignorance.
I guess what I am asking -- if a client wanted an application
written (in web languages) so that their employees could link all
their different computers together and share/use information using
browsers, is that possible using a server that is not connected to
the Internet?
Look, I know that I can solve my clients problems by finding a host
and writing scripts to do what they want -- that's not a problem.
But everything I do is open to the world. Sure I can provide some
level of security, but nothing like the security that can be
provided behind closed and locked doors.
So, can I do what I do (i.e., programming) without having a host?
Can I install a local server at my clients location and interface
all their computers to use the server without them ever being
connected to the Internet?
Maybe I should ask my grandson. :-)
Hi tedd,
I may not know all the possibilities but the only way I can think of
to accomplish that would be to have a server setup in their office
with a bank of modems and have everyone call into the server.
Basically like an old school internet provider.
If the main server can be secured to your clients liking there are
ways that it can be on the net and still as safe as possible... But
obviously not as safe as hard lines being dialed in...
You'ld also have to take into account possibly long distance charges
if everyone wasn't local...
--- End Message ---
--- Begin Message ---
At 1:18 PM -0400 9/12/10, Andy McKenzie wrote:
>
A question, to clarify my fuzzy thinking about such things:
Can a business have a server connected to the Internet but limit access to
just their employees? I don't mean a password protected scheme, but rather
the server being totally closed to the outside world other than to their
internal employees? Or is this something that can only be provided by a LAN
with no Internet connection?
Cheers,
tedd
Hey, one I can answer!
The short answer is "Yes". It can be done in a firewall: for
instance, take the following network setups.
1) Internal machines on a single range (10.10.0.1-10.10.0-254),
gateway machine at 10.10.0.1, web server at 10.10.0.2.
In this situation, the gateway passes traffic web traffic from
outside to 10.10.0.2/80 (destination NATing, in linux's iptables), and
traffic from inside to 10.10.0.2/8880. There's no reasonable way for
outside traffic to reach the web server, but the web server can still
reach the outside world. If you don't want to have ANYONE outside the
private network reach the web server, you can eliminate the dnat rule
so port 80 traffic isn't forwarded. If the employees need access from
outside, a VPN would work best, as Ash suggested, but there are other
options. The catch is that you need to either use virtual hosts,
which brings one set of problems, or two pieces of web-server software
(two instances of apache, for instance), which brings a different set
of problems.
2) All systems on publicly reachable addresses
(230.54.8.0-230.54.8.254, to pick at random). The web server is at
230.54.8.2, there is no gateway. The firewall here needs to be on the
web server, since there is no gateway, and it only allows port 8880
traffic in if it's from the range 230.54.8.0/24. Again, if no
external access is necessary, it can be simplified somewhat.
In either instance, employees with permanent IP addresses at home can
be allowed in via the firewall.
-Alex
3)
-Alex:
Many thanks -- now I need to figure what you said and how to implement it. :-)
Does this mean that my client will need a physically local server
with fire-wall software protection or can this be done in
conventional remote hosting environment with htaccess (or whatever)
directives?
I really need to understand the basics.
Thanks for your help.
Cheers,
tedd
--
-------
http://sperling.com/
--- End Message ---
--- Begin Message ---
At 1:47 PM -0400 9/12/10, Jason Pruim wrote:
On Sep 12, 2010, at 1:33 PM, tedd wrote:
So, can I do what I do (i.e., programming) without having a host?
Can I install a local server at my clients location and interface
all their computers to use the server without them ever being
connected to the Internet?
I may not know all the possibilities but the only way I can think of
to accomplish that would be to have a server setup in their office
with a bank of modems and have everyone call into the server.
Basically like an old school internet provider.
If the main server can be secured to your clients liking there are
ways that it can be on the net and still as safe as possible... But
obviously not as safe as hard lines being dialed in...
You'ld also have to take into account possibly long distance charges
if everyone wasn't local...
Forget modems or other such outside access -- everything would be
done internally with computers and users being physically located
within the office's physical location.
So, could a server be set up in an office that would run
web-languages such that users in the office could access their server
and run scripts using browsers?
Cheers,
tedd
--
-------
http://sperling.com/
--- End Message ---
--- Begin Message ---
On Sun, Sep 12, 2010 at 11:03 PM, tedd <tedd.sperl...@gmail.com> wrote:
> At 5:57 PM +0100 9/12/10, Ashley Sheridan wrote:
>>
>
> I'm sure this is an obvious question for many on this list, but I'm not
> above showing my ignorance.
>
> I guess what I am asking -- if a client wanted an application written (in
> web languages) so that their employees could link all their different
> computers together and share/use information using browsers, is that
> possible using a server that is not connected to the Internet?
definitely yes. many online web apps we see on internet spend their
early age in incubators not connected to internet. in other terms, in
'local area networks' which use almost same set of internet standard
protocols.
~viraj
>
> Look, I know that I can solve my clients problems by finding a host and
> writing scripts to do what they want -- that's not a problem. But everything
> I do is open to the world. Sure I can provide some level of security, but
> nothing like the security that can be provided behind closed and locked
> doors.
>
> So, can I do what I do (i.e., programming) without having a host? Can I
> install a local server at my clients location and interface all their
> computers to use the server without them ever being connected to the
> Internet?
>
> Maybe I should ask my grandson. :-)
>
> Cheers,
>
> tedd
>
> --
> -------
> http://sperling.com/
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
On Sun, 2010-09-12 at 14:07 -0400, tedd wrote:
> At 1:47 PM -0400 9/12/10, Jason Pruim wrote:
> >>On Sep 12, 2010, at 1:33 PM, tedd wrote:
> >>So, can I do what I do (i.e., programming) without having a host?
> >>Can I install a local server at my clients location and interface
> >>all their computers to use the server without them ever being
> >>connected to the Internet?
> >
> >I may not know all the possibilities but the only way I can think of
> >to accomplish that would be to have a server setup in their office
> >with a bank of modems and have everyone call into the server.
> >Basically like an old school internet provider.
> >
> >If the main server can be secured to your clients liking there are
> >ways that it can be on the net and still as safe as possible... But
> >obviously not as safe as hard lines being dialed in...
> >
> >You'ld also have to take into account possibly long distance charges
> >if everyone wasn't local...
>
> Forget modems or other such outside access -- everything would be
> done internally with computers and users being physically located
> within the office's physical location.
>
> So, could a server be set up in an office that would run
> web-languages such that users in the office could access their server
> and run scripts using browsers?
>
> Cheers,
>
> tedd
>
>
> --
> -------
> http://sperling.com/
>
Set it up like a regular server but without a connection to the outside
world and then the computers can connect to it as you need. For ease of
use you could pick some subdomain name of the existing domain for the
company (intranet.business.com for example) and then change the hosts
file on the client computers to recognise this and point to the internal
server.
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
On Sun, Sep 12, 2010 at 11:37 PM, tedd <tedd.sperl...@gmail.com> wrote:
> At 1:47 PM -0400 9/12/10, Jason Pruim wrote:
>>>
> So, could a server be set up in an office that would run web-languages such
> that users in the office could access their server and run scripts using
> browsers?
yes, it's just few steps.
1. connect all computers through a router and bring the access need
machines in to one ip-block range
2. pick a computer to use as the server (which you have to install the
web server, database server)
firewalls, proxy-servers come later in the story :)
this is bit off the topic in a php list. but i'm sure you will get
some good hints.
~viraj
>
> Cheers,
>
> tedd
>
>
> --
> -------
> http://sperling.com/
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
On Sun, Sep 12, 2010 at 1:51 PM, tedd <tedd.sperl...@gmail.com> wrote:
> At 1:18 PM -0400 9/12/10, Andy McKenzie wrote:
>>
>> >
>>>
>>> A question, to clarify my fuzzy thinking about such things:
>>>
>>> Can a business have a server connected to the Internet but limit access
>>> to
>>> just their employees? I don't mean a password protected scheme, but
>>> rather
>>> the server being totally closed to the outside world other than to their
>>> internal employees? Or is this something that can only be provided by a
>>> LAN
>>> with no Internet connection?
>>>
>>> Cheers,
>>>
>>> tedd
>>
>> Hey, one I can answer!
>>
>> The short answer is "Yes". It can be done in a firewall: for
>> instance, take the following network setups.
>>
>> 1) Internal machines on a single range (10.10.0.1-10.10.0-254),
>> gateway machine at 10.10.0.1, web server at 10.10.0.2.
>> In this situation, the gateway passes traffic web traffic from
>> outside to 10.10.0.2/80 (destination NATing, in linux's iptables), and
>> traffic from inside to 10.10.0.2/8880. There's no reasonable way for
>> outside traffic to reach the web server, but the web server can still
>> reach the outside world. If you don't want to have ANYONE outside the
>> private network reach the web server, you can eliminate the dnat rule
>> so port 80 traffic isn't forwarded. If the employees need access from
>> outside, a VPN would work best, as Ash suggested, but there are other
>> options. The catch is that you need to either use virtual hosts,
>> which brings one set of problems, or two pieces of web-server software
>> (two instances of apache, for instance), which brings a different set
>> of problems.
>>
>> 2) All systems on publicly reachable addresses
>> (230.54.8.0-230.54.8.254, to pick at random). The web server is at
>> 230.54.8.2, there is no gateway. The firewall here needs to be on the
>> web server, since there is no gateway, and it only allows port 8880
>> traffic in if it's from the range 230.54.8.0/24. Again, if no
>> external access is necessary, it can be simplified somewhat.
>>
>> In either instance, employees with permanent IP addresses at home can
>> be allowed in via the firewall.
>>
>> -Alex
>>
>> 3)
>
> -Alex:
>
> Many thanks -- now I need to figure what you said and how to implement it.
> :-)
>
> Does this mean that my client will need a physically local server with
> fire-wall software protection or can this be done in conventional remote
> hosting environment with htaccess (or whatever) directives?
>
> I really need to understand the basics.
>
> Thanks for your help.
>
> Cheers,
>
> tedd
>
> --
> -------
> http://sperling.com/
>
Tedd,
First off, I don't recommend trying to build a secure firewall
yourself if you don't know what you're doing, much like I wouldn't
recommend building your own web server. There are a lot of potential
pitfalls, and ways to make things look like they're secure when they
really aren't.
That said, here's my take.
It sounds from what you said like you have a client with the following setup:
- Machines in the office, probably on a private subnet with a single
public IP showing (this is Network Address Translation, or NAT).
- A remote server rented from a hosting company. Hopefully it's
running Linux/Apache, rather than Windows/anything, because it's
easier (for me, at least) if it's linux. I'll assume it's running
Linux and Apache, since most hosting companies do things that way, in
my experience.
This is potentially the hardest setup, security-wise. You're
looking at all data having to travel over a network connection, which
means it's inherently insecure, and you may not have full access to
the server. If you've got access to either the firewall or the apache
config on the server, though, you can make it work. There are two
options.
1) Firewall. You can use the firewall (iptables, in my assumed
scenario) to restrict who can reach the server. Find someone who
knows what they're doing to set this up, or you can lock yourself out
of the server really easily -- I've done it several times at work, and
it's always embarrassing.
2) Apache config. You can set a particular subdirectory of your
Apache install -- or the whole thing! -- to only be accessible to
people from certain domains or IPs. The way to do this is to use a
"Deny all" directive, followed by, say "Allow .myclient.com" or "Allow
231.30.8.17" if that's your gateway. See
http://articles.techrepublic.com.com/5100-22_11-5076696.html for some
basic information -- look at the section with the header "Restrict
access". This is easier, but I'm not sure whether it's as secure.
Best, of course, would be to do both. That way no one unauthorized
should be able to reach the server, but if they manage, it should
still lock them out.
Now: this all works the same for an internal server. The only
difference really is that you're in full physical control, and you can
drop the whole thing behind a gateway firewall as well as the internal
firewall. It is generally a good idea to let a server access the
internet, since that's the easiest way to download and install
security patches, but you can still restrict access the same way.
Either you put two network cards in the server, and use one to access
the internet and the other for the internal network, or you use one,
and use the firewall and Apache directives to control who has access.
Again, though, I don't advocate setting up a secure server yourself
if you don't know what you're doing: that's fine if it doesn't really
have to be secure and it's for yourself (that's a good way to learn,
actually), but you're running a big risk if you sell someone a secure
solution that turns out to not really be secure.
I hope this helps!
-Alex
--- End Message ---
