php: is my visitor from local network?

Question

I have a small home network with LAMP server. I know from these two topics:

How to make sure about the ip of the visitor? and PHP: how to check if the client is local?

that there are various ways to determine some information about ip of my visitors. But is it possible, using PHP to determine with 100% certainty that my visitor IS from local network? I would like to make my website freely avaible on my 192.168.0.* network and password protected from evereyone else. And I'm not concerned with cases where occasionally someone from my local network, due to the use of proxy or for some other reasons is forced to provideo extra credentials. I just want to make 100% sure that people from the outside will be asked for password.

Or maybe in some other wording: for a potential hacker outside my local network, is it possible to trick Apache to think that the visitor is local?

Usually any effort of recognizing visitors ip is directed toward customizing look or language of the website, but is it possible to use it for described above security reasons?

Answer 1

This should be done from apache using the satisfy directive. You must have to be sure that AllowOverride is set in your apache.conf, then in your .htaccess you can do the following (or you could put it in a directive of the virtual host.

AuthType Basic
AuthName "Private Site"
AuthUserFile /etc/httpd/conf.d/htpasswd/www.example.com
Order deny,allow
Allow from 192.168.0.0/16
Deny from all
Require valid-user
Satisfy Any

The only way that they could bypass this is if they proxied in somehow from the internal network.

Answer 2

If you can make a setup like that secure depends slightly on your firewall if you got one. Not so much on PHP.

Read up on IP spoofing. IP address spoofing - Wikipedia

A better way would be to just put that webserver on a hosting provider, and only allowing your external IP access. Still that is not really 100% secure either.

Answer 3

<?php
/**
 * Check if a client IP is in our Server subnet
 *
 * @param string $client_ip
 * @param string $server_ip
 * @return boolean
 */
function clientInSameSubnet($client_ip=false,$server_ip=false) {
    if (!$client_ip)
        $client_ip = $_SERVER['REMOTE_ADDR'];
    if (!$server_ip)
        $server_ip = $_SERVER['SERVER_ADDR'];
    // Extract broadcast and netmask from ifconfig
    if (!($p = popen("ifconfig","r"))) return false;
    $out = "";
    while(!feof($p))
        $out .= fread($p,1024);
    fclose($p);
    // This is because the php.net comment function does not
    // allow long lines.
    $match  = "/^.*".$server_ip;
    $match .= ".*Bcast:(\d{1,3}\.\d{1,3}i\.\d{1,3}\.\d{1,3}).*";
    $match .= "Mask:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/im";
    if (!preg_match($match,$out,$regs))
        return false;
    $bcast = ip2long($regs[1]);
    $smask = ip2long($regs[2]);
    $ipadr = ip2long($client_ip);
    $nmask = $bcast & $smask;
    return (($ipadr & $smask) == ($nmask & $smask));
}
?>

Source