Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> Raven's RavenNuke(tm) v1.x Distro
Author Message
dingfelder
Hangin' Around


Joined: Jan 18, 2005
Posts: 45
Location: New Zealand

PostPosted: Thu Dec 08, 2005 4:10 am Reply with quote

pardon my ignorance, but can someone expand upon the difference between "Admin HTTPAuth", and "Admin CGIAuth" ?

Im up to the step in the instructions where I have to set HTTPAuth but it is not listed. Sad

Is there something I can do to enable HTTPAuth? or something my host can configure ?

Cheeers !

Ding
 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Thu Dec 08, 2005 8:07 am Reply with quote

HTTPAuth requires that PHP is compiled as an Apache module. This is due to needing access to certain variables that are not set when PHP is compiled as a CGI. Now, if you know/suspect that your PHP IS compiled as an Apache module and are still getting that message, then try this.

In ABMain.php
FIND
!stristr($_SERVER['SERVER_SOFTWARE'], "apache")

CHANGE TO
!stristr($_SERVER['SERVER_SOFTWARE'],
"apache")AND!stristr($_SERVER['SERVER_SIGNATURE'], "apache")


Then, in functions.php
FIND
stristr($_SERVER['SERVER_SOFTWARE'], "Apache")

CHANGE TO
(stristr($_SERVER['SERVER_SOFTWARE'],
"Apache")||stristr($_SERVER['SERVER_SIGNATURE'], "Apache"))

If HTTP Auth still does not show up in the drop down box, then you will have to use CGIAuth. I will be adding that in the next release of NukeSentinel(tm).


CGIAuth uses a different method to encode and check the id/pass. It must use a separate id/pass file (.staccess in this case). They bot achieve the same goal but in different ways.
 
View user's profile Send private message
cacat
Hangin' Around


Joined: Nov 23, 2005
Posts: 43

PostPosted: Thu Dec 08, 2005 11:40 am Reply with quote

i edited 1 file - .htaccess

Code:


# -----------------------------------------------------------------------------------------------------
# Leave this block commented out unless HTTPAuth is NOT available in your NukeSentinel(tm) Admin Panel.
# This code is mainly for use with CGI Authentication and most servers do not require it.
# -----------------------------------------------------------------------------------------------------
 <Files admin.php>
    <Limit GET POST PUT>
       require valid-user
    </Limit>
    AuthName "Restricted"
    AuthType Basic
   AuthUserFile /mypath/public_html/.staccess
 </Files>
#


i just uncommented that section.
works like a charm
 
View user's profile Send private message
dingfelder
PostPosted: Thu Dec 08, 2005 1:41 pm Reply with quote

ok, sounds like I want either to use httpauth if it is available or else I need to wait for you to finish work on cgiauth.

I would prefer option 1 so I will ask my host if this is available.

I want to get it right on this install, because I have quite a few websites that I plan on upgrading to this distro. My plan is to take your base install, configure al the security settings to suit my admin needs, add the better menu, a photo gallery, a calendar, a "contact us" module, a "about us" module, and a donations module. I only want to do all that once, so I will then export the db and tar up the files. I can then drop it into other directories for new installs.

So, if my host does not offer httpauth, how long (ballpark guess) until the next version that includes cgiauth? and if you have any comments/improvements to my plan, I would love to hear them before I get too far.

Cheers!

Ding
 
Raven
PostPosted: Thu Dec 08, 2005 1:57 pm Reply with quote

Finish what work? It works right out of the box.
 
cacat
PostPosted: Thu Dec 08, 2005 2:58 pm Reply with quote

???

dont you read anything else but your posts and raven's?
cgi auth works FINE if you just remove the "#" at that specific section of the file .htaccess...

here it is for you again:

this is from the .htaccess file:



# -----------------------------------------------------------------------------------------------------
# Leave this block commented out unless HTTPAuth is NOT available in your NukeSentinel(tm) Admin Panel.
# This code is mainly for use with CGI Authentication and most servers do not require it.
# -----------------------------------------------------------------------------------------------------

<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile /mypath/public_html/.staccess
</Files>


lets count together: 1-2-3-4-5-6-7-8!!
8 lines to remove the # at the start of the line!

RTFM RTM
 
dingfelder
PostPosted: Thu Dec 08, 2005 3:01 pm Reply with quote

Quote:
Finish what work? It works right out of the box.


sorry, maybe I missed something. I was following the instructions for configuring the system, and at the point where it says to choose HTTPAuth, there is a note saying that if HTTPAuth is not there, to refer to the forums on how to configure CGIAuth.

Then, in your last post you said:

Quote:
If HTTP Auth still does not show up in the drop down box, then you will have to use CGIAuth. I will be adding that in the next release of NukeSentinel(tm).


So that is the *work* I meant.

I was planning on perusing the forums tonight to see what exactly would be involved in manually configuring CGIAuth in case the next release is a while off, but I have not even started looking at it yet.


Cacat, regarding your post:
Quote:
dont you read anything else but your posts and raven's?
cgi auth works FINE if you just remove the "#" at that specific section of the file .htaccess...

I was not sure what you meant, and am still a bit mistified... I have to assume you mean IF the host has configured their server to use php as a apache module and the UI is not displaying the httpAuth option in the dropdown list, your *fix* will work. Since the host may not have made this configuration, I don't see how changing the .htaccess file will change how the server works. Or am I missing something?


Cheers,

Ding
 
Raven
PostPosted: Thu Dec 08, 2005 3:21 pm Reply with quote

Raven wrote:
I will be adding that in the next release of NukeSentinel(tm).

What that meant was I will be adding the code correction to identify Apache as opposed to you having to patch it yourself. The CGI process is really very simple. Uncomment the code in .staccess as instructed. Make sure to chmod .staccess to 777. Then goto Admin Auth List and you should see a link to setup CGI. I think I stated it all. Try it and if you can't figure it out let us know. Sorry for the miscue Wink
 
cacat
PostPosted: Thu Dec 08, 2005 3:31 pm Reply with quote

i meant this:
there is no http auth in nuke sentinel's cpanel, so you are forced to choose one cgi auth or nohting. you choose cgi.

then--->

all you have to do , i mean ALL, for the cgi auth to work is to UNcomment those 8 lines.
no code to add, edit or to look for, no server config, no nuke modifications, nothing.

make sure it is selected in the nuke admin panel as well....

this "*FIX*" is not a fix, it is just the way it is meant to be. it was designed like this.

both work with .htaccess in similar but not 100% the same ways.
uncomment the ones for cgi and you ar set.
that will be $50 - $15 for my time and $35 for raven's

thank you, drive thru
 
VinDSL
Life Cycles Becoming CPU Cycles


Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com

PostPosted: Thu Dec 08, 2005 5:04 pm Reply with quote

Don't take this the wrong way. It's not a severe criticism, or anything -- just adding to the conversation...

Whenever possible, I use cookie auth (session based auth). Personally, I feel more comfortable (as an admin) being able to control the session time-out length and so forth, and (as a user) being able to logout, which is a pain to handle with HTTP auth, you know? Wink

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: Only registered users can see links on this board! Get registered or login! | Only registered users can see links on this board! Get registered or login! ::. 
View user's profile Send private message Visit poster's website ICQ Number
Raven
PostPosted: Thu Dec 08, 2005 5:58 pm Reply with quote

Vin,

I didn't take anything the wrong way. Setting HTTP Auth to log a user out is really not a pain. There are several ways to do it through the Header function.
 
VinDSL
PostPosted: Thu Dec 08, 2005 8:25 pm Reply with quote

Raven wrote:
Setting HTTP Auth to log a user out is really not a pain. There are several ways to do it through the Header function.

Heh! I wish the ppl at cPanel would figure that out!

Everytime I use cPanel, to log out, I have to quit my browser. They provide a button, but this 'log off' function doesn't work with Firefox. How do you get around browser-specific issues like this?
 
VinDSL
PostPosted: Fri Dec 09, 2005 12:40 am Reply with quote

I just ran across this thread on another site. Perhaps this will make the point better...

Quote:
Raven (another Raven - not our Raven): Is it just me... or does the logout button not work in the CP? I'm using Firefox 1.0.

JonathanB: I've been using the family of Mozilla browsers for quite a while and I don't believe the logout button ever worked with those browsers.

sycopathman: I can't log out either.

VinDSL: All that button does is close your browser. You can do that manually, if you want to.

jason: CPanel uses HTTP authentication. Apache pretty much sums it up in their documentation with this:

Quote:
How do I log out?

Since browsers first started implementing basic authentication, website administrators have wanted to know how to let the user log out. Since the browser caches the username and password with the authentication realm, as described earlier in this tutorial, this is not a function of the server configuration, but is a question of getting the browser to forget the credential information, so that the next time the resource is requested, the username and password must be supplied again. There are numerous situations in which this is desirable, such as when using a browser in a public location, and not wishing to leave the browser logged in, so that the next person can get into your bank account.

However, although this is perhaps the most frequently asked question about basic authentication, thus far none of the major browser manufacturers have seen this as being a desirable feature to put into their products.

Consequently, the answer to this question is, you can't. Sorry.

CPanel does, however, get around this in webmail, where the logout link does work. I'm not exactly sure how they implement that, but I'm curious to find out.

Raven: At times I do login to the control panel from computers other than my personal one, so in reality it does make a difference to me. Wink But, I did assume that the logout did more than just close the browser window. Now that I know more about the situation, thanks to jason, I can let go of my worries.

VinDSL: Look, once you are authenticated, using basic auth, you stay authenticated as long as the browser is open. If you close the browser, manually or otherwise, you have to authenticate again. If you'll pardon the pun, this is 'basic authentication' 101...

All that button does is close your browser...

Here's the actual code:

Code:
"<a href="#" onClick="self.close()"><img src="images/topbar_logout.gif" width="55" height="45" border="0"></a>


That button is just a convenience... a 'crutch', if you will... and that code doesn't work with Mozilla browsers...

Cookie authentication is a whole different matter. It doesn't matter if you close the browser or not. The cookie lives as long as it lives. Many times, it will live 'forever' (I've seen cookies that are set to expire in 2038). So, if you use a public terminal, like at work, ALWAYS make sure that you not only close the browser, but you delete all the cookies. Otherwise, you're leaving yourself wide open!

This is probably where you are confused, Raven... With cookie auth, when you logout, you are killing the cookie. You don't have to close the browser to kill the cookie. With 'basic auth', you cannot kill auth until you close the browser. In other words, you cannot logout using 'basic auth' the same way you do with cookies...

phluidphil: as a side note, if you *truely* want to logout of cpanel, make sure *ALL* mozilla browser windows are closed and associated e-mail programs. If you leave mozilla mail open it will still keep your basic auth. information in memory even if you have all mozilla browser windows closed.

This goes for all browsers and their associated email program. (Firefox, Mozilla, IE).


For me it's all about logging out -- well, that and some aesthetic considerations. HTTP auth looks pretty kludgey, as implimented in most browsers, you know? Wink


Last edited by VinDSL on Fri Dec 09, 2005 1:24 am; edited 1 time in total 
Raven
PostPosted: Fri Dec 09, 2005 1:15 am Reply with quote

I'm heading into bed right now but I have some code somewhere that sets an expire date so that the next time you try to go into admin.php (as an example) and HTTPAuth is active, it knows to reissue it. It's the same principle.
 
VinDSL
PostPosted: Fri Dec 09, 2005 1:34 am Reply with quote

Here's some cuties! A whole page of solutions to the log out conundrum:
Only registered users can see links on this board! Get registered or login!

Specifically:
Only registered users can see links on this board! Get registered or login!

Isn't the web a fun place? I swear -- learn something new every day... Very Happy
 
Raven
PostPosted: Fri Dec 09, 2005 6:02 am Reply with quote

And you saved me the trouble of having to dig mine up Wink
 
addy
Hangin' Around


Joined: Mar 28, 2005
Posts: 42

PostPosted: Sat Dec 17, 2005 8:19 pm Reply with quote

Quote:

i edited 1 file - .htaccess


Where is the .htaccess file located? I'm wanting to take the plunge and activate this.
 
View user's profile Send private message
cacat
PostPosted: Sun Dec 18, 2005 1:44 am Reply with quote

root dir of your phpnuke
 
Raven
PostPosted: Sun Dec 18, 2005 5:56 am Reply with quote

addy wrote:
Quote:

i edited 1 file - .htaccess


Where is the .htaccess file located? I'm wanting to take the plunge and activate this.

You do not need .htaccess to use HTTP Auth. You do need it for CGIAuth.
 
addy
PostPosted: Sun Dec 18, 2005 12:22 pm Reply with quote

I'll be using CGIauth.

Was it not included in the 7.6 package? It might also be hidden so I'll check that as well...
 
Raven
PostPosted: Sun Dec 18, 2005 3:04 pm Reply with quote

CGI and HTTP Auth is a function of the Browser, so yes, it's included Wink Basically, here's what you do.

- Change your permissions on both .htaccess and .staccess to 777.
- Place the paths to .htaccess and .staccess in the Admin Control Panel
- Select CGI Auth Access
- From the NukeSentinel Admin Control Panel, select Scan For New Admins.
- Now select Admin Auth List and make sure that all admins have been assigned passwords.
- Now, you should see a link that says Build CGIAuth file: -- Click it. That will build your .staccess id:pass file.
- Now back in the main NS ACP, in the .staccess box, you will see a link that says CGI Auth Setup -- click it. It should produce a new window with the following information.
Save this in .htaccess :

# -------------------------------------------
# Start of NukeSentinel(tm) admin.php Auth
# -------------------------------------------
<Files .staccess>
deny from all
</Files>

<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted by NukeSentinel(tm)"
AuthType Basic
AuthUserFile /home/USERNAME/public_html/.staccess
</Files>
# -------------------------------------------
# End of NukeSentinel(tm) admin.php Auth
# -------------------------------------------


USERNAME will be your username and the path may be different

- Copy and paste that into your .htaccess file.

That is the procedure. It sounds more complicated than what it is and I took you the long way around hoping you'd understand it.
 
addy
PostPosted: Tue Dec 27, 2005 5:04 pm Reply with quote

Quote:

It should produce a new window with the following information.
Save this in .htaccess :

# -------------------------------------------
# Start of NukeSentinel(tm) admin.php Auth
# -------------------------------------------
<Files .staccess>
deny from all
</Files>

<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted by NukeSentinel(tm)"
AuthType Basic
AuthUserFile /home/USERNAME/public_html/.staccess
</Files>
# -------------------------------------------
# End of NukeSentinel(tm) admin.php Auth
# -------------------------------------------

USERNAME will be your username and the path may be different


When I click to build it just flashes back to the same page - nothing pops up with that information. I have made sure my blockers are off and the path it recommended for the .htaccess and .staccess are the only ones the admin pannel would take.
 
Raven
PostPosted: Tue Dec 27, 2005 8:00 pm Reply with quote

So just copy and paste the code above and modify it with your information.
 
addy
PostPosted: Tue Dec 27, 2005 10:08 pm Reply with quote

Any particular line in the .htaccess file or anywhere will do?

I'm also not following the username and path..

Quote:

/home/USERNAME/public_html/.staccess


I have the paths just as they were in the bundle so I'm guessing the only thing I should change is the admin user name in the middle?
 
Raven
PostPosted: Tue Dec 27, 2005 10:28 pm Reply with quote

Place that code, exactly as shown, at the beginning of .htaccess. The AuthUserFile /home/USERNAME/public_html/.staccess is the absolute path to your .staccess file, as shown in your NukeSentinel(tm) ACP.
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> Raven's RavenNuke(tm) v1.x Distro

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©