From: Ashley Sheridan on
On Sun, 2010-09-12 at 14:07 -0400, tedd wrote:

> At 1:47 PM -0400 9/12/10, Jason Pruim wrote:
> >>On Sep 12, 2010, at 1:33 PM, tedd wrote:
> >>So, can I do what I do (i.e., programming) without having a host?
> >>Can I install a local server at my clients location and interface
> >>all their computers to use the server without them ever being
> >>connected to the Internet?
> >
> >I may not know all the possibilities but the only way I can think of
> >to accomplish that would be to have a server setup in their office
> >with a bank of modems and have everyone call into the server.
> >Basically like an old school internet provider.
> >
> >If the main server can be secured to your clients liking there are
> >ways that it can be on the net and still as safe as possible... But
> >obviously not as safe as hard lines being dialed in...
> >
> >You'ld also have to take into account possibly long distance charges
> >if everyone wasn't local...
>
> Forget modems or other such outside access -- everything would be
> done internally with computers and users being physically located
> within the office's physical location.
>
> So, could a server be set up in an office that would run
> web-languages such that users in the office could access their server
> and run scripts using browsers?
>
> Cheers,
>
> tedd
>
>
> --
> -------
> http://sperling.com/
>


Set it up like a regular server but without a connection to the outside
world and then the computers can connect to it as you need. For ease of
use you could pick some subdomain name of the existing domain for the
company (intranet.business.com for example) and then change the hosts
file on the client computers to recognise this and point to the internal
server.

Thanks,
Ash
http://www.ashleysheridan.co.uk


From: viraj on
On Sun, Sep 12, 2010 at 11:37 PM, tedd <tedd.sperling(a)gmail.com> wrote:
> At 1:47 PM -0400 9/12/10, Jason Pruim wrote:
>>>
> So, could a server be set up in an office that would run web-languages such
> that users in the office could access their server and run scripts using
> browsers?

yes, it's just few steps.

1. connect all computers through a router and bring the access need
machines in to one ip-block range
2. pick a computer to use as the server (which you have to install the
web server, database server)

firewalls, proxy-servers come later in the story :)

this is bit off the topic in a php list. but i'm sure you will get
some good hints.


~viraj

>
> Cheers,
>
> tedd
>
>
> --
> -------
> http://sperling.com/
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
From: Andy McKenzie on
On Sun, Sep 12, 2010 at 1:51 PM, tedd <tedd.sperling(a)gmail.com> wrote:
> At 1:18 PM -0400 9/12/10, Andy McKenzie wrote:
>>
>>  >
>>>
>>>  A question, to clarify my fuzzy thinking about such things:
>>>
>>>  Can a business have a server connected to the Internet but limit access
>>> to
>>>  just their employees? I don't mean a password protected scheme, but
>>> rather
>>>  the server being totally closed to the outside world other than to their
>>>  internal employees? Or is this something that can only be provided by a
>>> LAN
>>>  with no Internet connection?
>>>
>>>  Cheers,
>>>
>>>  tedd
>>
>> Hey, one I can answer!
>>
>> The short answer is "Yes".  It can be done in a firewall:  for
>> instance, take the following network setups.
>>
>> 1) Internal machines on a single range (10.10.0.1-10.10.0-254),
>> gateway machine at 10.10.0.1, web server at 10.10.0.2.
>>  In this situation, the gateway passes traffic web traffic from
>> outside to 10.10.0.2/80 (destination NATing, in linux's iptables), and
>> traffic from inside to 10.10.0.2/8880.  There's no reasonable way for
>> outside traffic to reach the web server, but the web server can still
>> reach the outside world.  If you don't want to have ANYONE outside the
>> private network reach the web server, you can eliminate the dnat rule
>> so port 80 traffic isn't forwarded.  If the employees need access from
>> outside, a VPN would work best, as Ash suggested, but there are other
>> options.  The catch is that you need to either use virtual hosts,
>> which brings one set of problems, or two pieces of web-server software
>> (two instances of apache, for instance), which brings a different set
>> of problems.
>>
>> 2) All systems on publicly reachable addresses
>> (230.54.8.0-230.54.8.254, to pick at random).  The web server is at
>> 230.54.8.2, there is no gateway.  The firewall here needs to be on the
>> web server, since there is no gateway, and it only allows port 8880
>> traffic in if it's from the range 230.54.8.0/24.  Again, if no
>> external access is necessary, it can be simplified somewhat.
>>
>> In either instance, employees with permanent IP addresses at home can
>> be allowed in via the firewall.
>>
>> -Alex
>>
>> 3)
>
> -Alex:
>
> Many thanks -- now I need to figure what you said and how to implement it..
>  :-)
>
> Does this mean that my client will need a physically local server with
> fire-wall software protection or can this be done in conventional remote
> hosting environment with htaccess (or whatever) directives?
>
> I really need to understand the basics.
>
> Thanks for your help.
>
> Cheers,
>
> tedd
>
> --
> -------
> http://sperling.com/
>

Tedd,

First off, I don't recommend trying to build a secure firewall
yourself if you don't know what you're doing, much like I wouldn't
recommend building your own web server. There are a lot of potential
pitfalls, and ways to make things look like they're secure when they
really aren't.

That said, here's my take.

It sounds from what you said like you have a client with the following setup:

- Machines in the office, probably on a private subnet with a single
public IP showing (this is Network Address Translation, or NAT).

- A remote server rented from a hosting company. Hopefully it's
running Linux/Apache, rather than Windows/anything, because it's
easier (for me, at least) if it's linux. I'll assume it's running
Linux and Apache, since most hosting companies do things that way, in
my experience.

This is potentially the hardest setup, security-wise. You're
looking at all data having to travel over a network connection, which
means it's inherently insecure, and you may not have full access to
the server. If you've got access to either the firewall or the apache
config on the server, though, you can make it work. There are two
options.

1) Firewall. You can use the firewall (iptables, in my assumed
scenario) to restrict who can reach the server. Find someone who
knows what they're doing to set this up, or you can lock yourself out
of the server really easily -- I've done it several times at work, and
it's always embarrassing.

2) Apache config. You can set a particular subdirectory of your
Apache install -- or the whole thing! -- to only be accessible to
people from certain domains or IPs. The way to do this is to use a
"Deny all" directive, followed by, say "Allow .myclient.com" or "Allow
231.30.8.17" if that's your gateway. See
http://articles.techrepublic.com.com/5100-22_11-5076696.html for some
basic information -- look at the section with the header "Restrict
access". This is easier, but I'm not sure whether it's as secure.
Best, of course, would be to do both. That way no one unauthorized
should be able to reach the server, but if they manage, it should
still lock them out.


Now: this all works the same for an internal server. The only
difference really is that you're in full physical control, and you can
drop the whole thing behind a gateway firewall as well as the internal
firewall. It is generally a good idea to let a server access the
internet, since that's the easiest way to download and install
security patches, but you can still restrict access the same way.
Either you put two network cards in the server, and use one to access
the internet and the other for the internal network, or you use one,
and use the firewall and Apache directives to control who has access.

Again, though, I don't advocate setting up a secure server yourself
if you don't know what you're doing: that's fine if it doesn't really
have to be secure and it's for yourself (that's a good way to learn,
actually), but you're running a big risk if you sell someone a secure
solution that turns out to not really be secure.

I hope this helps!

-Alex
From: Paul M Foster on
On Sun, Sep 12, 2010 at 02:07:12PM -0400, tedd wrote:

> At 1:47 PM -0400 9/12/10, Jason Pruim wrote:
> >>On Sep 12, 2010, at 1:33 PM, tedd wrote:
> >>So, can I do what I do (i.e., programming) without having a host?
> >>Can I install a local server at my clients location and interface
> >>all their computers to use the server without them ever being
> >>connected to the Internet?
> >
> >I may not know all the possibilities but the only way I can think of
> >to accomplish that would be to have a server setup in their office
> >with a bank of modems and have everyone call into the server.
> >Basically like an old school internet provider.
> >
> >If the main server can be secured to your clients liking there are
> >ways that it can be on the net and still as safe as possible... But
> >obviously not as safe as hard lines being dialed in...
> >
> >You'ld also have to take into account possibly long distance charges
> >if everyone wasn't local...
>
> Forget modems or other such outside access -- everything would be
> done internally with computers and users being physically located
> within the office's physical location.
>
> So, could a server be set up in an office that would run
> web-languages such that users in the office could access their server
> and run scripts using browsers?

I just think I couldn't possibly be fully understanding what you're
asking. But in case I *do* understand it, it would be like this:

Set up a switch in the server room and connect everyone to it. Connect
the switch to the internal webserver. Give the webserver an internal
(non-routable) IP and hostname. Anyone can access it via
http://internal_hostname/my_script.php

No one outside the LAN can access it, something you can enforce with
Apache or with iptables (Linux).

I have one of these set up in my house/office.

Hope this helps.

Paul

--
Paul M. Foster
From: Dotan Cohen on
On Sun, Sep 12, 2010 at 18:55, tedd <tedd.sperling(a)gmail.com> wrote:
> A question, to clarify my fuzzy thinking about such things:
>
> Can a business have a server connected to the Internet but limit access to
> just their employees? I don't mean a password protected scheme, but rather
> the server being totally closed to the outside world other than to their
> internal employees? Or is this something that can only be provided by a LAN
> with no Internet connection?
>

Filter on IP address. Not foolproof, but mostly there.

--
Dotan Cohen

http://gibberish.co.il
http://what-is-what.com