Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
Dauthus
Worker
Worker


Joined: Oct 07, 2003
Posts: 211

PostPosted: Fri Jul 08, 2005 7:35 pm Reply with quote

Here's the setup.

I am running a subdomain which has protected access. The subdomain is not a directory in the public folder, but has it's own directory. The path works like this:

/var/www/html <---- This is the public folder
/var/www/subdomain <---- This is the subdomain folder

(This is the default subdomain creation using Ensim Pro Control Panel)

In the subdomain root directory I have created an .htaccess file (/var/www/subdomain/.htaccess) that along with the .htgroup and .htpasswd files causes the domain to have protected access. and I can still create users in the CP and give them access.

I am currently running PHP-Nuke 7.6 patched 3.0 and Sentinel 2.3.1 and have a few very minor coding changes.

Here is the problem.

When I added the authentication using the .htaccess (I just added the code to the existing .htaccess) and the .staccess I end up with an endless loop of authentication windows when I try and access the admin.php file of the site. It didn't matter which username and password I used, it kept looping over and over again. I had to comment out the Sentinel authentication so I can work in the admin portion of the site.

Here is an "example" of the .htaccess:

Code:
AuthUserFile /blah/blahblah/blah/fst/var/www/.htpasswd

AuthGroupFile /blah/blahblah/blah/fst/var/www/.htgroup
AuthName "Members Area"
AuthType Basic
<Limit GET>
require group  GroupName
</Limit>
#
Options All -Indexes
DirectoryIndex index.php index.htm index.html
#
# -------------------------------------------
# Start of NukeSentinel(tm) admin.php Auth
# -------------------------------------------
#<Files .ftaccess>
#  deny from all
#</Files>
#
#<Files .staccess>
#  deny from all
#</Files>
#
#<Files admin.php>
#   <Limit GET POST PUT>
#      require valid-user
#   </Limit>
#   AuthName "Restricted"
#   AuthType Basic
#   AuthUserFile /blah/blahblah/blah/fst/var/www/subdomain/.staccess
#
#</Files>
#
# -------------------------------------------
# Start of NukeSentinel(tm) DENY FROM area
# -------------------------------------------
#


Did I miss something simple? It almost looks like they may need to be combined or something.

_________________
Only registered users can see links on this board! Get registered or login!
Vivere disce, cogita mori 
View user's profile Send private message Visit poster's website
64bitguy
The Mouse Is Extension Of Arm


Joined: Mar 06, 2004
Posts: 1159
Location: Sanbornton, NH USA

PostPosted: Fri Jul 08, 2005 10:06 pm Reply with quote

Try moving the .htpasswd file to a directory location ABOVE the html folder (being in an area above the public root and thus NOT accessible by the domain or sub-domain for access) in a folder called .htpasswds (this would be at the same level as your www directory, not under it).

Then in your root and sub-domain folder .htaccess, do it like this:
Code:
AuthUserFile /blah/blahblah/blah/fst/var/.htpasswds/.htpasswd


Same thing for your groups.

The result? Here is what it should look like for just the .htpasswd file, follow this example for the rest of them:
Code:
<Files /blah/var/.htpasswds/.htpasswd>

  deny from all
</Files>
<Files admin.php>
   <Limit GET POST PUT>
      require valid-user
   </Limit>
   AuthName "Restricted"
   AuthType Basic
   AuthUserFile /blah/var/.htpasswds/.htpasswd
</Files>


Finally, I could be wrong, but I'm thinking that you are going to get prompted twice if you have both group and admin.php access restrictions.

I'm thinking that if you go to the sub-domain first, you'll get prompted for access there, then you should be able to go to the admin.php and be prompted for that level of access.

I should note that I had issues with redirects from using a wildcard DNS handler in the DNS Zone files. I had to actually hard code my A records and delete the wildcard in my hosting control panel to eliminate this problem. Your host may do it differently, I can't say for sure. I've heard this is a "Netadmin" and "Cpanel" control issue. There is a fair amount of reported issues out there in this regard.

Now, in this scenario, I don't enable anything in NukeSentinel in terms of .staccess settings. I simply leave that un-enabled because I am getting the protection by way of the .htaccess rules that are telling my system that I need that password to get to the admin.php.

Hope this helps!

_________________
Steph Benoit Only registered users can see links on this board! Get registered or login!
1CMS, 100% Section 508 and W3C XHTML/CSS Compliant (Truly) 
View user's profile Send private message Visit poster's website
Dauthus
PostPosted: Sat Jul 09, 2005 1:05 am Reply with quote

64bitguy wrote:
Try moving the .htpasswd file to a directory location ABOVE the html folder (being in an area above the public root and thus NOT accessible by the domain or sub-domain for access) in a folder called .htpasswds (this would be at the same level as your www directory, not under it).


Sorry 64bitguy, I should have explained the location of the files a little better. The .htgroup and .htpasswd files are out of the html root. They aren't in a "hidden" type of directory as you suggested, but they were out of the general publics access. Moving them as you suggested didn't help. The directory structure is like so:

/blah/blahblah/blah/fst/var/www/.htpasswd
/blah/blahblah/blah/fst/var/www/.htgroup
/blah/blahblah/blah/fst/var/www/subdomain/.htaccess
/blah/blahblah/blah/fst/var/www/subdomain/.staccess
/blah/blahblah/blah/fst/var/www/subdomain/admin.php

the html root for the domain (not the subdomain) would be:

/blah/blahblah/blah/fst/var/www/html/*.*

64bitguy wrote:
Finally, I could be wrong, but I'm thinking that you are going to get prompted twice if you have both group and admin.php access restrictions.

I'm thinking that if you go to the sub-domain first, you'll get prompted for access there, then you should be able to go to the admin.php and be prompted for that level of access.


You are correct. One access for the Only registered users can see links on this board! Get registered or login! access and one for the Only registered users can see links on this board! Get registered or login! The only problem is the Authentication Windows keep popping up over and over in an endless loop. It's like when I log in to admin.php, it removes the cookie/session that was being used for me to access the subdomain. Thus when the cookie/session goes, you have to log in again. And vice versa for each. Kind of like going through authentication and then shutting down your browser. You will have to authenticate each time but you stay authenticated until you close your browser window or the cookie/session expires.

What I am thinking is happening is when I try and log in to admin.php and go through the authentication my browser is dumping the authentication for the subdomain entry. Then, when I authenticate for the subdomain, the browser is dumping the authentication for the admin.php. It only happens when I try and access the admin.php file. If I don't try and go to admin.php, I can go through the entire site with the subdomain authentication. The problem just starts when I try and enter admin.php. Is this making any sense?
 
64bitguy
PostPosted: Sat Jul 09, 2005 2:20 pm Reply with quote

Can you PM me with a copy of the .htaccess you have in your root (main domain) as well as the .htaccess that you have in your sub-domain root. Finally a screen shot of your NukeSentinel Admin preferences screen for the sub-domain?

I'll take a look at it and see if I can replicate the process on my server or better yet, fix it.

Also, do you have wildcards setup for your domain in your DNS Zone File configuration (in your hosting control panel) or do you have the sub-domain hard coded with A records, etc...

If you are using wildcards, send me a screen shot of your hosting control panel DNS entries and I'll send you back a copy of what it would look like hard-coded.
 
Dauthus
PostPosted: Sat Jul 09, 2005 5:13 pm Reply with quote

It's sent. I had to link the files. No attachments allowed in the pms.
 
64bitguy
PostPosted: Sat Jul 09, 2005 6:08 pm Reply with quote

Ok, I think I see a problem here.

Question:
Do you provide users with just access to this sub-domain in this .htaccess, or are you also providing permissions to them for something else?

Meaning, as I understand it, there are really only two types of access going on here, one is for you to restrict access to the administration functions, and the other allows everyone in a selected group to actually just simply have access to the sub-domain itself.

You aren't giving any other special access persmissions beyond this screnario right? For example, you aren't allowing bob one type of access and john another type of access correct?

Now in that scenario, if everyone has the same access permissions, you don't need to use groupfile, just userfile. (As there aren't different types of groups of users)

If that's the case, I can fix the .htaccess and send it back.

Now, one other thing, you have a call to a .ftaccess in there. Is it actually being used?

Finally, last but not least, I'm assuming that your salt value does match whatever you are using in your .staccess (the one from your NukeSentinel Screen).

Thanks
Steph
 
Dauthus
PostPosted: Sat Jul 09, 2005 7:28 pm Reply with quote

64bitguy wrote:
Do you provide users with just access to this sub-domain in this .htaccess, or are you also providing permissions to them for something else?


Only for this sub-domain.

64bitguy wrote:
there are really only two types of access going on here, one is for you to restrict access to the administration functions, and the other allows everyone in a selected group to actually just simply have access to the sub-domain itself.


There are two types of access, one to restrict access to the admin.php (NukeSentinel) and one to restrict access to the subdomain (but it's not using group. I removed that part because I have a third party that manages the site access.

64bitguy wrote:
You aren't giving any other special access persmissions beyond this screnario right? For example, you aren't allowing bob one type of access and john another type of access correct?


Nope. No other special access permissions. It is set up so I can add users through the Domain CP also. But all that does is add username and password to the .htpasswd. If you will notice I changed the following:

Code:
<Limit GET>

#require group  Staff
require valid-user
</Limit>


That way the "Staff" group setting isn't needed, just the Username and Password authentication. Group is irrelevant.

64bitguy wrote:
Now, one other thing, you have a call to a .ftaccess in there. Is it actually being used?


That line of code is in the sample.htaccess provided with NukeSentinel. I figured it was something the developers needed. I didn't put it there on my own, I just used what was provided with NukeSentinel.

64bitguy wrote:
Finally, last but not least, I'm assuming that your salt value does match whatever you are using in your .staccess (the one from your NukeSentinel Screen).


Thats a negative. I used the crypt.php file (from this forum) and just made an encrypted password and entered that in the .staccess. I didn't update it. I have never changed it on any site I have installed Nuke Sentinel on. They have all worked and required the proper Username and Password. I even use different salt values for each username and password that have been added to the .staccess and everyone's works fine.
 
64bitguy
PostPosted: Sat Jul 09, 2005 10:37 pm Reply with quote

Ok... I think that (may) be where your problem rests.

Simply open up your .staccess and look at your encrypted password.

Then go into the NukeSentinel Administration screen and change the salt value to be the same as the first two characters in your encrypted password.

For example, let's say your username for this access is: joe

In this case, your password (after your ran the crypt program) coupled with your ID would look like this in your .staccess file. (Keep in mind, I'm making up a password and salt value here, but you should know what you used for a password before it was encrypted).

Anyway, your .staccess would look like this in this example:
Code:
joe:*%kIk96t$km310


Then you would simply put: *% as the "Salt" value inside NukeSentinel.

Then re-enable the appropriate section (that you commented out) in your .htaccess and try it again. Also, I would suggest moving that ABOVE the other sections... in other words, first the NukeSentinel .htaccess section, then the rest.

Let me know how you come out.


Last edited by 64bitguy on Sat Jul 09, 2005 10:41 pm; edited 1 time in total 
Dauthus
PostPosted: Sat Jul 09, 2005 10:41 pm Reply with quote

What about the other passwords that have different salt values?
 
64bitguy
PostPosted: Sat Jul 09, 2005 10:42 pm Reply with quote

Those shouldn't matter because they aren't validated by NukeSentinel, they are merely for domain access.

Also be sure to add yourself as a protected admin inside the NukeSentinel configuration settings.
 
Dauthus
PostPosted: Sat Jul 09, 2005 10:50 pm Reply with quote

Nope, it didn't help. The authentication screen keeps changeing from:

Restricted to Members Area to Restricted to Members Area. (These are the names of the Authenticaton boxes)

In other words I keep loosing my authentication for the subdomain when I try and log in to the admin.php. Then when I authenticate for the subdomain I lose my authentication for the admin.php
 
Dauthus
PostPosted: Sat Jul 09, 2005 10:52 pm Reply with quote

64bitguy wrote:
Those shouldn't matter because they aren't validated by NukeSentinel, they are merely for domain access.


Actually one of the usernames and passwords is for another god admin. I will change his password when I get this figured out.
 
64bitguy
PostPosted: Sat Jul 09, 2005 11:13 pm Reply with quote

Put yourself (id and encrypted password) in a group called admins in the same file with the other group and then try this:

Code:
<Files /home/blah/.htpasswds/.htgroup>

  deny from all
</Files>
<Files /home/blah/.htpasswds/.htpasswd>
  deny from all
</Files>

AuthUserFile /home/blah/.htpasswds/.htpasswd
AuthGroupFile /home/blah/.htpasswds/.htgroup
AuthName "Members Area"
AuthType Basic
<Limit GET PUT POST>
require group GroupName
</Limit>

<Files admin.php>
   <Limit GET POST PUT>
      require group admins
   </Limit>
   AuthName "Administration Restricted"
   AuthType Basic
   AuthUserFile /home/blah/.htpasswds/.htgroup
</Files>
 
Dauthus
PostPosted: Sat Jul 09, 2005 11:27 pm Reply with quote

Nope, can't do that. That will remove the ability of the third party to manage the members who can access the site. I had to remove the require group and change it to the require valid-user. I am relatively sure the third party cannot add members to a group from the outside using a Pearl script.
 
64bitguy
PostPosted: Sun Jul 10, 2005 10:29 am Reply with quote

Actually, I didn't change that. The only real change I made was to eliminate the .staccess function and add that capability into your existing groups function to support a new "admins" group.

This (I believe) should not have affected your ability to add users whatsoever.

Again, the only real change I made was to have you assign yourself in the existing groups password section (as a new group called admins) where you would move your ID/Password from the .staccess file.

That (for all intensive purposes) should work, should keep all of your functionality and allow you to have multiple admins access the admin.php.
 
Dauthus
PostPosted: Sun Jul 10, 2005 4:25 pm Reply with quote

64bitguy wrote:
<Limit GET PUT POST>
require group GroupName
</Limit>


Any time there is a "require group" in this limit, it requires a user to be a member of a group before they can access, but I see where you are going with that. You are going a route by only allowing whoever is in the "admins" group as the only ones allowed to access the admin.php file. These admins, even though they are site admins for PHP-Nuke, cannot access the admin.php file unless they are ALSO assigned to the "admins" group through the CP.

I'll work on that and see what I can come up with. I just have a feeling this double authentication is what is causing the problem. I don't think the browsers are able to handle it. I mean, you ever wonder why you can't "log out" of an authentication like this? You have to shut down the browser after the session. But I have been wrong sooooo many times before.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©