Authenticate users by IP address?

[hcsteve]

Hi,

I'm currently working on replacing a moderately sized MRTG installation (about 2 dozen devices, 4000 graphs) with Cacti. I love the user interface and the ease of management, but I'm having some trouble with a multi-user setup.

With our current MRTG system, we allow our customers to log in to the web server to view the graphs that are assigned to them. In order to do this, we set up some custom perl scripts, an htaccess file, and an htpasswd file for each of our customers. However, we also have a page that is only accessible from our management network that shows all the graphs for every single device. This page is also protected by an htaccess file that only permits connections from a certain IP range (our management network).

I'm trying to set up something similar in Cacti, but I don't really know where to start. I figured out how to create individual users and only allow those users access to certain graphs. However, I'm having trouble figuring out how to allow "all-access read-only" based only on IP address, without requiring the user to log in. The simple answer is to just require my network techs to log in with a username and password, but I'd like to avoid that if possible.

Is anyone else doing something like this? Any pointers on where to start? I searched the forums for things like "authenticate user by IP address", but I didn't find anything useful.

Thanks,
Steve

[rony]

Not currently supported.

[Howie]

I would look at using Basic authentication mode in Cacti, coupled with some Apache module that makes IP auth *look* like basic auth. It wouldn't be too hard to write a mod_perl module to do that, for example, where it has a list of IPs, and in response, it stuffs dummy basic auth credentials into the HTTP request.

Depends on if you have any programming resources, I guess.

[rony]

IP support will be coming, I just don't know when.

And to be honest the past patches I have received have been lack luster.

[CarLost]

You can also, export the graphics at fixed intervals (or days) on another server and prepare a page to "show" this to the costumers, avoiding any security potential issue.

regards.

[hcsteve]

Thanks for all the suggestions. I ended up making a quick and dirty hack to include/auth.php that will only allow guest access from my management network. Here's the diff:

Code: Select all

42c42,46
<               $guest_user_id = db_fetch_cell("select id from user_auth where username='" . read_config_option("guest_user") . "' and realm = 0 and enabled = 'on'");
---
>               /* Only allow guest access from $allowed_network */
>               $allowed_network = '172.17.0.';
>               if (substr($_SERVER['REMOTE_ADDR'], 0, strlen($allowed_network)) == $allowed_network) {
>                       $guest_user_id = db_fetch_cell("select id from user_auth where username='" . read_config_option("guest_user") . "' and realm = 0 and enabled = 'on'");
>               }

Granted, this is not the most robust or maintainable solution, but so far it looks like it does what I want. If anyone sees any obvious problems with this, I'd love to hear about it.

[Howie]

I would look at using Basic authentication mode in Cacti, coupled with some Apache module that makes IP auth *look* like basic auth. It wouldn't be too hard to write a mod_perl module to do that, for example, where it has a list of IPs, and in response, it stuffs dummy basic auth credentials into the HTTP request.

Depends on if you have any programming resources, I guess.

Just replying to myself to close the loop, there's already some example code here that does almost what I described - require basic auth for most users, but allow certain IPs without auth while forcing a username into REMOTE_USER. With Cacti set up to use basic auth, that would do what you wanted. You'd lose the nice Cacti login screen, of course.