| Author |
Message |
gman04
New Member
Joined: Dec 06, 2004
Posts: 7
|
 Posted:
Wed Dec 08, 2004 9:00 am |
 
|
Just installed Sentinel - Nuke 7.5 patched, Win2k3 IIS NOT Apache. Everything seems to be working fine.
But been reading all this .htaccess stuff and httpauth, cgiauth, which I assume I cannot use since it's an IIS server...? (bear with me I'm a noob).
Am I benefitting from the Sentinel protection on my server now? Is there a similar setup to this .htaccess httpauth stuff for my Windows server?THANKS MUCH! |
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16976
Location: Kansas
|
| Posted:
Wed Dec 08, 2004 9:09 am |
|
You are correct in your assumption about .htaccess and .staccess. However, you should be able to use HTTPAuth as that is a function of the browser (HTTP Protocol). In your NukeSentinel administration panel, can you set HTTPAuth to yes? |
|
|
  
|
|
gman04
New Member
Joined: Dec 06, 2004
Posts: 7
|
| Posted:
Wed Dec 08, 2004 9:18 am |
|
Can't seem to ... I just set all the httpauth p/w's for the admins (told me I had to) ...
Now in the Admin Auth pulldown there is only an option for "Off" and "Admin cgiauth" ... although I believe I recall it showing "httpauth" a few minutes ago? |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16976
Location: Kansas
|
| Posted:
Wed Dec 08, 2004 9:19 am |
|
Let us look into this because it should be allowing HTTPAuth. |
|
|
|
|
|
gman04
New Member
Joined: Dec 06, 2004
Posts: 7
|
| Posted:
Wed Dec 08, 2004 9:21 am |
|
K ...
is HTTPAuth something I have to activate on the web server perhaps? i.e. enable it in IIS (again noob here bear with me) - thanks much for the help! |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16976
Location: Kansas
|
| Posted:
Wed Dec 08, 2004 9:30 am |
|
You may have to enable it in IIS, I don't know the product and have never used it. But, it should still NOT be showing CGIAuth and it SHOULD be showing HTTPAuth option as Yes. |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16976
Location: Kansas
|
| Posted:
Wed Dec 08, 2004 9:36 am |
|
Try this just for grins and giggles. Using phpMyAdmin, edit the nsnst_config table. Find the setting httpauth and put a 1 in there. Let's see if that pops up the gray box when you try to go into admin.php. |
|
|
|
|
|
gman04
New Member
Joined: Dec 06, 2004
Posts: 7
|
| Posted:
Wed Dec 08, 2004 9:41 am |
|
just tried it - set httpauth to 1 per above ... was able to hit admin.php w/o any authentication prompts.... |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16976
Location: Kansas
|
| Posted:
Wed Dec 08, 2004 9:47 am |
|
Okay, it was worth a try. Also, will you look in your IIS setup/configuration to see if you have to do anything special for HTTPAuth to work? |
|
|
|
|
|
gman04
New Member
Joined: Dec 06, 2004
Posts: 7
|
| Posted:
Wed Dec 08, 2004 10:08 am |
|
Just looked through everything in IIS - couldn't find anything specifically for HTTPauth
Did a quick google found some stuff - looks like my versions and everything are all correct ... the rest of this is greek to me on the PHP variable settings but maybe it'll make sense to you (some info on this page about httpauth and IIS)- |
|
|
|
|
|
gman04
New Member
Joined: Dec 06, 2004
Posts: 7
|
| Posted:
Wed Dec 08, 2004 10:35 am |
|
Well - one way to lock down the admin.php file - I just changed the perms on it to "deny" for the IIS guest internet account, and it required me to login with user account on the win2k3 box to get to the file, which I could.
I guess that would secure that file at least (I'll have to manually manage the users on the win box).... 'til we figure out the httpauth
but i guess this would bypass any benefits i get from sentinel  |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16976
Location: Kansas
|
| Posted:
Wed Dec 08, 2004 11:56 am |
|
You have all the other which is protection from exploits. Also, it dawned on me that your php is compiled as CGI so that's why the auth settings aren't showing up. Anyway, try thi | Code: | Regarding HTTP authentication in IIS with the php cgi 4.3.4, there's one more step. When using HTTP auth with the php CGI, you need to do the following things:
1. In your php.ini file, set "cgi.rfc2616_headers = 0"
2. In Web Site Properties -> File/Directory Security -> Anonymous Access dialog box, check the "Anonymous access" checkbox and uncheck any other checkboxes (i.e. uncheck "Basic authentication," "Integrated Windows authentication," and "Digest" if it's enabled.) Click OK.
3. In "Custom Errors", select the range of "401;1" through "401;5" and click the "Set to Default" button.
It's this last step that is crucial, yet not documented anywhere. If you don't, instead of the headers asking for credentials, IIS will return its own fancy but useless 'you are not authenticated' page. But if you do, then the browser will properly ask for credentials, and supply them in the $_SERVER['PHP_AUTH_*'] elements. |
|
|
|
|
|
|
gman04
New Member
Joined: Dec 06, 2004
Posts: 7
|
| Posted:
Wed Dec 08, 2004 10:13 pm |
|
Ahhh - ok I guess that would do it ...
I'll try the above and let you know the results. (btw -you're awesome Raven! thanks much for the speedy replies and assistance!!!!) |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16976
Location: Kansas
|
| Posted:
Wed Dec 08, 2004 10:23 pm |
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
