Path
ez.no / ezpublish / documentation / configuration / security / non-virtualhost
Non-Virtualhost
These documentation pages are no longer maintained. Please visit the new documentation site.
Securing the site depends on whether you are using a virtualhost setup or a non-virtualhost setup. A virtualhost setup means that all urls are redirected to the index.php script while non-virtualhost requires that the index.php script is mentioned in the url.
Virtualhost setups
Virtualhost setups are secure by default since all request are sent to index.php script, with the exception of images, stylesheets and javascripts. The only thing that is required for securing the site is to make sure all custom made templates follow the security guidelines for templates.
Non-Virtualhost setups
Non-Virtualhost setups are insecure by default. The index.php must explicitly be placed in the url, this means that any other scripts may be executed directly as well as open up .ini files with password information. Because of this it is not recommened to use non-virtualhost setups, however if you don't have any choice there are some guidelines which can be used to secure the site.
You also need to make sure that all custom made templates follow the security guidelines for templates.
Install a .htaccess file
The Apache webserver allows each site to install a .htaccess file which can control which files are accessible as well as set PHP options. The .htaccess file is placed in the root of your eZ publish installation, an example of how it may look follows.
<FilesMatch "."> order allow,deny deny from all </FilesMatch> <FilesMatch "(index.php|.(gif|jpe?g|png|css|jar|js|html))$"> order allow,deny allow from all </FilesMatch> RewriteEngine On RewriteRule !.(gif|css|jpe?g|png|css|jar|js|html)$ index.php DirectoryIndex index.php
Use .ini.php files
All .ini files in eZ publish are readable when in non-virtualhost mode, this means that placing items such as usernames and passwords in these files are dangerous.
Fortunately the .ini file reader in eZ publish supports reading so called PHP wrapped .ini files. This means to create a file with the suffix .ini.php (.ini.append.php for append files), wrap it in a PHP comment and place it in the settings (settings/override for append files) directory. For instance the web setup will automatically create such files in settings/override/ for you with all the personal settings.
site.ini.php
<?php /* [DatabaseSettings] Server=mydbserver User=myuser Password=mypassword */ ?>
Alternative: Non-Virtualhost URL without index.php
If your Server can run mod_rewrite, you can search ezurl and replace with ezroot in all your templates, put the .htaccess file below in your space then you'll have full nice url fun in nvH environment
.htaccess
DirectoryIndex index.php <FilesMatch "(index.php|.(gif|html|css|jpe?g|png|ico|js|asf|avi|wmv|swf|xsl|jar|pdf|doc))$"> order allow,deny allow from all Options Indexes FollowSymLinks Includes ExecCGI </FilesMatch> RewriteEngine on # we are reached via /<path-to-ezpublish>/ prefix #RewriteBase /<path-to-ezPublish>/ #if ezPublish is not in root directory take this and not the following RewriteBase / # IF URI does not end with "/" ################### RewriteCond %{REQUEST_URI} !/$ # and IF URI does not end with <anything> <dot> <something> RewriteCond %{REQUEST_URI} ![^.]*.[php|html|gif|css|jpe?g|png|ico|js|asf|avi|wmv|swf|xsl|jar|pdf|doc]+$ #RewriteCond %{REQUEST_URI} [index.php]+$ # THEN append trailing slash and redirect the client (include support for SSL) RewriteCond %{HTTP_HOST} (.+) RewriteCond %{SERVER_PORT} !^443$ RewriteRule (.*) https://%1/$1/ [L] # first we rewrite the root dir to the handling php script RewriteRule ^$ index.php [L] RewriteRule ^index.html$ index.php [L] # strip out the subdirs when the browser requests us from per dir pages #RewriteRule ^.+/<path-to-ezPublish>+/.$ $1 [L] #if ezPublish is not in root directory take this and not the following RewriteRule ^.+/.$/ $1 [L] # and now break the rewriting for local files #RewriteRule ^<path-to-ezPublish>.php.* - [L] #if ezPublish is not in root directory take this and not RewriteRule ^.php.* - [L] # exclude here directories or files eg. your webmail, phpadsnew, pphlogger #start for 3.4, for 3.0 - 3.3 replace this part with code below. RewriteRule ^.php.* - [L] RewriteRule ^design.* - [L] RewriteRule ^var/.*/storage.* - [L] RewriteRule ^var/storage.* - [L] RewriteRule ^var/.*/cache.* - [L] RewriteRule ^var/cache.* - [L] RewriteRule ^extension/.*/design.* - [L] RewriteRule ^kernel/setup/packages.* - [L] RewriteRule ^packages.* - [L] RewriteRule ^share/icons.* - [L] #end for 3.4 # anything else is a subdir which gets handled by another php script RewriteRule !^index.php.* - [C] RewriteRule (.*) index.php/$1
the 3.0 - 3.3 part:
#start for 3.0 - 3.3 RewriteRule ^.php.* - [L] RewriteRule ^design.* - [L] RewriteRule ^var/.*/storage.* - [L] RewriteRule ^var/storage.* - [L] RewriteRule ^var/.*/cache.* - [L] RewriteRule ^var/cache.* - [L] RewriteRule ^extension/.*/design.* - [L] RewriteRule ^kernel/setup/packages.* - [L] #end for 3.0 - 3.3
More information and discussion on this part in forum:
.htaccess - hidden at last
Comments
/index.php? to /
Charles-Edouard Coste
Monday 30 October 2006 8:25:52 am
I put the .htaccess on my website and it works. If I write www.example.com/fr I go on www.example.com/index.php?/fr .
But now I just can't browse on my site because all urls are still written with index.php?.
So if I click on the home link, I go on www.example.com/index.php?/fr and it abviously doesn't work.
Fix for the trailing slash problem / https problem
Dave Myron
Friday 21 January 2005 12:01:59 pm
RewriteRule (.*) https://%1/$1/ [L]
To:
RewriteRule (.*) http://%1/<path to ezp>/$1/ [L] # obviously remove the path info if it's installed in root
At least that's what got my subdirectory installation of EZP to work.
YMMV,
chicken
Anything missing a trailing slash redirects to https
Dave Myron
Friday 21 January 2005 11:54:32 am
# IF URI does not end with "/" ###################
RewriteCond %{REQUEST_URI} !/$
# and IF URI does not end with <anything> <dot> <something>
RewriteCond %{REQUEST_URI} ![^.]*\.[php|html|gif|css|jpe?g|png|ico|js|asf|avi|wmv|swf|xsl|jar|pdf|doc]+$
#RewriteCond %{REQUEST_URI} [index\.php]+$
# THEN append trailing slash and redirect the client (include support for SSL)
RewriteCond %{HTTP_HOST} (.+)
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%1/$1/ [L]
tells Apache to redirect any non-SSL requesting that doesn't end with a slash or a dot something to redirect to https (with a slash at the end).
This is a large problem: You can't login (if you don't have HTTPS support) - The link from the home page is to /user/login and that satisfies all conditions (no trailing slash and no dot something and not using port 443) so it attempts to forward to https://<domain>/user/login. Not the intention.
file rename win
Ekkehard Dörre
Saturday 12 June 2004 1:08:36 pm
http://www.azheavymetal.com/~lupasrename/lupasrename.php
Greetings ekke
tip: quickly changing extensions
James Packham
Wednesday 09 June 2004 2:52:13 pm
just copy and paste into a new file (in the settings dir), chmod +x it and execute it. This will change the extensions of all files in the directory where the script is located
security guidelines for templates.
Robert Castelo
Tuesday 19 August 2003 8:56:57 pm