Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #21  
Old 20th April 2009, 21:28
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,483
Thanks: 813
Thanked 5,255 Times in 4,121 Posts
Default

So, here the way to change the defaults, its really easy and I had posted this last week already but here for refernce again the step:

Edit the file:

/usr/local/ispconfig/server/conf/vhost.conf.master

and replace all lines (the lin exists 4 times in the file):

AllowOverride Indexes AuthConfig Limit

with:

AllowOverride Indexes AuthConfig Limit FileInfo

---
Update:fixed typo in path.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.

Last edited by till; 20th April 2009 at 22:15.
Reply With Quote
The Following 4 Users Say Thank You to till For This Useful Post:
davestyle (23rd April 2009), gkovacs (24th April 2009), lano (23rd June 2009), Leftblank (2nd September 2009)
Sponsored Links
  #22  
Old 20th April 2009, 21:48
Mogi Mogi is offline
Junior Member
 
Join Date: Apr 2009
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till View Post
The override option default has been changed because users requested this and not because I requested this. So your complain is that we have fixed a security issue due to user requests and you did not know it because you did not had read the release notes. So if it is populer demand we will turn it on again.
Hey till, thanks for the reply.

I figured that it would not be a decision a dev would make, I just think that your way of handling it was back to front (which is entirely your prerogative, obviously) - instead of disabling rewrite it might have been better to offer an option to disable it. As it is there are no options at all other than to renable one site at a time retroactively, which is no option in real life.

Anyhow, what is done is done. I appreciate the slight security risks of rewrite and understand your concerns as to not having problems from users who might suffer because it is there.

From this end of things, though, things look very different.

To satisfy both the pro and anti rewrite brigades, why not reenable it globally and then have some way of disabling it afterwards (i.e. locking the sites that need it down with it enabled on all of them in one click). Then afterwards make some option to enable it, as you and the antis want, on a per *new* site basis. The enabling per site option would have to be sticky though.

All non-trivial to do, I'm sure, but as ISPConfig 3 shows, you're in it for the long haul. So that kind of setup (options per site and global/ rewrites on or off/ all sticky) as non trivial as it might be for you to code into the script would pay didident in the long term.

Just my take on it.

Whatever you decide, I for one would really like to see it reenabled just for the immediate future anyway, if only to calm things down!

Also would like to say, despite all of the above and this present problem we are having, that ISPConfig 3 is excellent. Just the ultra-effective installation script is outstanding, let alone what the main script does once it starts work. Can't imagine the work that has gone into getting it this far, and kudos to you for that.

But just for now, please bring back the rewrites, before I and a lot of others get driven insane by broken sites.
Reply With Quote
  #23  
Old 20th April 2009, 22:08
Mogi Mogi is offline
Junior Member
 
Join Date: Apr 2009
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till View Post
So, here the way to change the defaults, its really easy and I had posted this last week already but here for refernce again the step:

Edit the file:

/usr/local/ispconfig/server/conf/vhsot.conf.master

and replace all lines (the lin exists 4 times in the file):

AllowOverride Indexes AuthConfig Limit

with:

AllowOverride Indexes AuthConfig Limit FileInfo
Thank very much indeed, till.
Reply With Quote
  #24  
Old 20th April 2009, 22:14
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,483
Thanks: 813
Thanked 5,255 Times in 4,121 Posts
Default

I added this to the bugtracker. I posted above the information on how to enable and keep this setting in your configuration.

The security problem is not the rewrite engine itself (even if wrong rewrite rules may cause different problems too), so what we did is not disabling rewrite in the first line, the problem is that the rewrite engine is coupled to the FileInfo option and fileinfo allows also to enable scripting in websites were scripting is disallowed by e.g. adding AddType.... statements or filters to a .htaccess file.

For more information, take a look here what fileinfo enables:

http://httpd.apache.org/docs/2.0/mod...#allowoverride

(as a personal side note, the apache documentation does not even mention that mod_rewrite depends on fileinfo)

There is no real solution for this so I will enable overriding of FileInfo again by default and write a note in the documentation that this will impose the risk that poeple with websites without scripting rights can enable them theirself by .htaccess file if the default configuration is not changed. Later version it might be an option to add a field in the site settings to set the override options individually per site.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
gkovacs (24th April 2009)
  #25  
Old 20th April 2009, 22:29
mgibson mgibson is offline
Junior Member
 
Join Date: Apr 2009
Posts: 18
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till View Post
So, here the way to change the defaults, its really easy and I had posted this last week already but here for refernce again the step:

Edit the file:

/usr/local/ispconfig/server/conf/vhost.conf.master

and replace all lines (the lin exists 4 times in the file):

AllowOverride Indexes AuthConfig Limit

with:

AllowOverride Indexes AuthConfig Limit FileInfo

---
Update:fixed typo in path.
Thank you very much, was told in an earlier post that this couldnt be done when I asked where the default file was....

Code:
No, that's not possible.
__________________
Falko
wink wink
Reply With Quote
  #26  
Old 23rd April 2009, 20:43
davestyle davestyle is offline
Junior Member
 
Join Date: Nov 2008
Posts: 14
Thanks: 2
Thanked 2 Times in 2 Posts
Default

Quote:
Originally Posted by till View Post
So, here the way to change the defaults, its really easy and I had posted this last week already but here for refernce again the step:

Edit the file:

/usr/local/ispconfig/server/conf/vhost.conf.master

and replace all lines (the lin exists 4 times in the file):

AllowOverride Indexes AuthConfig Limit

with:

AllowOverride Indexes AuthConfig Limit FileInfo

---
Update:fixed typo in path.

Thanking you very much. I'm all for the checkbox approach to allowing mod_rewrite
Reply With Quote
  #27  
Old 2nd May 2009, 21:52
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,259
Thanks: 76
Thanked 23 Times in 19 Posts
Default

so the safest solution is the one posted in reply #21, right? http://www.howtoforge.com/forums/sho...3&postcount=21

no other chance to enable only mod_rewrite and nothing else?

I guess that is a shortcoming of apache2 then. will alter my masterfiles then.

btw. if I change this file /usr/local/ispconfig/server/conf/vhost.conf.master and then go, make a small change in a website and save it will this vhost.conf.master be automatically applied? to the site I jsut saved?
Reply With Quote
  #28  
Old 2nd May 2009, 21:56
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,483
Thanks: 813
Thanked 5,255 Times in 4,121 Posts
Default

Quote:
no other chance to enable only mod_rewrite and nothing else?
No, at least I'am not aware of another solution.

Quote:
I guess that is a shortcoming of apache2 then. will alter my masterfiles then.
yes.

Quote:
btw. if I change this file /usr/local/ispconfig/server/conf/vhost.conf.master and then go, make a small change in a website and save it will this vhost.conf.master be automatically applied? to the site I jsut saved?
yes.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
mode (18th May 2009)
  #29  
Old 31st May 2009, 23:09
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,259
Thanks: 76
Thanked 23 Times in 19 Posts
Default

don't understand this. I changed what was psoted above by till, still if one of my wordpress sites tris to use mod rewrite, I get a 403 error:

Quote:
Forbidden

You don't have permission to access /wp-admin/options-permalink.php on this server.
Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g Server at klub-kamikaze.com Port 80
and if I check the vhost file:

Quote:
<Directory /var/www/clients/client1/web15/web>
Options FollowSymLinks
AllowOverride Indexes AuthConfig Limit FileInfo
Order allow,deny
Allow from all
</Directory>
I even added these directives into the apache directives field within ispcfg3 so what am I doing wrong here? all other wordpress sites are fine after the hack described above by till, even without me adding the directives manually... the only difference I can think of is that meanwhile I have upgraded from (within the last week)
Reply With Quote
  #30  
Old 1st June 2009, 09:32
mgibson mgibson is offline
Junior Member
 
Join Date: Apr 2009
Posts: 18
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

Hi Tenaka,

Those apache directives didnt work for me either...
In the vhost.conf.master, change the lines to:

Quote:
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
There should be 4 places in vhost.conf.master where you do this. It worked for me on joomla, magento and wordpress.

NOTE: when you upgrade ispconfig3, it wipes these settings out so you will either make a backup of your vhost.conf.master, or put them in again and restart apache2.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Host is not allowed to connect to this MySQL server'? mcroteau105 HOWTO-Related Questions 5 7th September 2009 12:52
ftp is very slow and asks for user/passwd continuously chico58 Installation/Configuration 7 8th October 2008 12:43
how to enable Mod Rewrite AngelDrago Installation/Configuration 9 10th August 2007 23:20
Ispconfig and Virtuemart shajazzi Installation/Configuration 7 21st February 2006 20:25
Number of allowed domains times 2? cstone Installation/Configuration 9 11th October 2005 02:06


All times are GMT +2. The time now is 10:53.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.