Void's Forums

[ZiaTioN]

I was messing around with some htacces stuff today and noticed that when I try to ban all traffic to my cgi-bin directory it seems the htaccess file is being ignored or not parsed?

<Limit GET POST>
order deny,allow
deny from all
</Limit>

That is what I have in my .htaccess file and I can still access a script I have in that directory. I have tried <file></file> instead of <Limit></Limit> and I get the same indications.

Any ideas?

[Void Main]

You have to have your AllowOverride parameter set in your /etc/httpd/conf/httpd.conf file for the directory you want to use your .htaccess files. You can allow only certain Overrides or you can allow them all by having "AllowOverride All" in your config file in your "/var/www/html" directory definition. Once setting this config param and signalling Apache to reload it's configuration (/sbin/service httpd reload) your .htaccess file should work.

[ZiaTioN]

Ahhh yes, AllowOverride. Forgot about that. That was the ticket!

[Basher52]

it's an old thread but since it's the same thing, I'll continue it.

This is from my phpMyAdmin.conf: <Directory /usr/share/phpMyAdmin/>
and this from .htaccess: AuthUserFile /usr/share/phpMyAdmin/.htpasswd
and: DocumentRoot "/var/www/html"

why isn't this working. The phpMyAdmin is installed by an rpm so the folder is not under the documentroot. Whenever I try to go into the webserver:
http://www.site.se/phpMyAdmin, the only thing I get is the password for phpMyAdmin, not the .htaccess password I've set up.

and another thing, which is the best, using the .htaccess/.htpasswd or put all new websites under some other physical place other then DocumentRoot and then create a '/etc/httpd/conf.d/site.conf' and use that file

Code: Select all

<Directory /usr/share/phpMyAdmin/>
   order deny,allow
   deny from all
   allow from 127.0.0.1
   allow from 123.122.121.120
</Directory>


[Void Main]

Did you see the part about the "AllowOverride"? More info:

http://httpd.apache.org/docs/1.3/mod/co ... owoverride

As far as the virtual hosts I always give them their own documentroot directory and their own separate configuration.

[Basher52]

If you mean this, yes

Code: Select all

#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
#   Options FileInfo AuthConfig Limit
#
    AllowOverride AuthConfig


and how about the path in the .htaccess

Code: Select all

AuthName "Login to the Private Area"
AuthType Basic
AuthUserFile /usr/share/phpMyAdmin/.htpasswd
Require user admin


What should the AuthUserFile path be?
I know the path got to be correct, but in this case I have no clue what to write, is it the /var/www... or /usr/share...

As far as the virtual hosts I always give them their own documentroot directory and their own separate configuration.

And by this you mean that using a /etc/httpd/conf.d/xxx.conf is a virtual host?
and if it is, you don't have to config the httpd.conf to use this?

Code: Select all

#<VirtualHost 1.2.3.4:80>
#    ServerAdmin root@localhost
#    DocumentRoot /var/www/html/sitename
#    ServerName sitename.no-ip.com
#    ErrorLog logs/sitename.example.com-error_log
#    CustomLog logs/sitename.example.com-access_log common
#</VirtualHost>


[Void Main]

I never use htaccess for phpMyAdmin authentication but if that is what you want to do you have to have phpMyAdmin set to use "HTTP" for authentication in the phpmyadmin configuration file (the config residing in the phpmyadmin directory). I would put "AllowOverride All" inside the Directory section of the phpmyadmin apache configuration.

Regarding the separate issue of virtual hosts you can define them right in the httpd.conf or in their own config file but regardless which way you go the statements you use are identical. Just because you have a separate config file for a vhost doesn't mean the configuration statements are different or fewer. Here is the vhost documentation:

http://httpd.apache.org/docs/2.2/vhosts/

some examples:

http://httpd.apache.org/docs/2.2/vhosts/examples.html

[Basher52]

thx... I'll send you a toaster

[Basher52]

it's already set

Code: Select all

$cfg['Servers'][$i]['auth_type']     = 'http';    // Authentication method (config, http or cookie based)?


but I added the AllowOverride in phpMyAdmins' conf file and it started to ask the user/password for that.
First it asked the l/p for the Auth, then it asked the l/p for phpMyAdmin
but then it asked AGAIN for the Auth l/p and when I wrote that in, a phpMyAdmin page came up telling me that I wrote the incorrect l/p.

how come it asked me twice for the phpMyAdmin l/p?
I've tried this with all types of encryption even without encryption but with this one it seems I never wrote the correct l/p

[Void Main]

After thinking about it a little more it's doing the basic htaccess authentication itself and you don't need the .htaccess file at all (you still needed to configure the Apache Overrides though). So, for the HTTP method you would get rid of the .htaccess and use MySQL user/password information to log into phpMyAdmin.

If you really do want to use the .htaccess file and user/password instead you would actually set the phpMyAdmin authentication type to "Config" rather than "HTTP" and hard code the MySQL user/password in the phpMySQL config file (which creates security concerns):

http://blog.charlvn.za.net/2005/06/phpm ... ation.html
official documentation:
http://www.phpmyadmin.net/documentation ... tion_modes

I personally use "Cookie" authentication on my of my current phpMyAdmin installations but now that I think about it I have had a setup in the past using .htaccess. With "Cookie" (and "HTTP") auth methods you can access phpMyAdmin using any MySQL user not just root (or any single hard coded MySQL user) which is why I stopped using the .htaccess/Config auth method quite some time ago.

[Basher52]

some part of the url where you get into your account to create the order, I use https for those, well the system VirtueMart(for Joomla) requires that.

I have read, changed and rechecked everything and I think it should work, but I get these errors and they look like the other problem I had, cant remember what it was but I found it myself and you said that you never had that problem because you didn't install that program whatever it was.

There are some errors in the template but that I know already.
Can you help me out to remove that program so this starts to work?

Code: Select all

Mon Jan 26 19:39:46 2009] [error] [client 82.196.123.58] ModSecurity: Warning. Pattern match "^http/0.9$" at REQUEST_PROTOCOL. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "32"] [id "960019"] [msg "HTTP/0.9 Request Detected"] [severity "WARNING"] [hostname "racingaliens.no-ip.biz"] [uri "/"] [unique_id "SX4Dcn8AAAEAABS27lsAAAAE"]
[Mon Jan 26 19:39:46 2009] [error] [client 82.196.123.58] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "35"] [id "960008"] [msg "Request Missing a Host Header"] [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "racingaliens.no-ip.biz"] [uri "/"] [unique_id "SX4Dcn8AAAEAABS27lsAAAAE"]
[Mon Jan 26 19:39:46 2009] [error] [client 82.196.123.58] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "racingaliens.no-ip.biz"] [uri "/"] [unique_id "SX4Dcn8AAAEAABS27lsAAAAE"]
[Mon Jan 26 19:39:46 2009] [error] [client 82.196.123.58] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "48"] [id "960009"] [msg "Request Missing a User Agent Header"] [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "racingaliens.no-ip.biz"] [uri "/"] [unique_id "SX4Dcn8AAAEAABS27lsAAAAE"]
[Mon Jan 26 19:39:46 2009] [error] [client 82.196.123.58] ModSecurity: Warning. Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_30_http_policy.conf"] [line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "racingaliens.no-ip.biz"] [uri "/"] [unique_id "SX4Dcn8AAAEAABS27lsAAAAE"]
[Mon Jan 26 19:39:46 2009] [error] [client 82.196.123.58] PHP Notice:  Undefined index:  HTTP_HOST in /var/www/html/tperacing/libraries/joomla/environment/uri.php on line 164
[Mon Jan 26 19:39:47 2009] [error] [client 82.196.123.58] PHP Notice:  Uninitialized string offset:  -1 in /var/www/html/tperacing/administrator/components/com_virtuemart/virtuemart.cfg.php on line 28
[Mon Jan 26 19:39:47 2009] [error] [client 82.196.123.58] ModSecurity: Warning. Pattern match "^http/0.9$" at REQUEST_PROTOCOL. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "32"] [id "960019"] [msg "HTTP/0.9 Request Detected"] [severity "WARNING"] [hostname "racingaliens.no-ip.biz"] [uri "/"] [unique_id "SX4Dc38AAAEAABS38X8AAAAF"]
[Mon Jan 26 19:39:47 2009] [error] [client 82.196.123.58] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "35"] [id "960008"] [msg "Request Missing a Host Header"] [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "racingaliens.no-ip.biz"] [uri "/"] [unique_id "SX4Dc38AAAEAABS38X8AAAAF"]
[Mon Jan 26 19:39:47 2009] [error] [client 82.196.123.58] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "racingaliens.no-ip.biz"] [uri "/"] [unique_id "SX4Dc38AAAEAABS38X8AAAAF"]
[Mon Jan 26 19:39:47 2009] [error] [client 82.196.123.58] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "48"] [id "960009"] [msg "Request Missing a User Agent Header"] [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "racingaliens.no-ip.biz"] [uri "/"] [unique_id "SX4Dc38AAAEAABS38X8AAAAF"]
[Mon Jan 26 19:39:47 2009] [error] [client 82.196.123.58] ModSecurity: Warning. Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_30_http_policy.conf"] [line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "racingaliens.no-ip.biz"] [uri "/"] [unique_id "SX4Dc38AAAEAABS38X8AAAAF"]
[Mon Jan 26 19:39:47 2009] [error] [client 82.196.123.58] PHP Notice:  Undefined index:  HTTP_HOST in /var/www/html/tperacing/libraries/joomla/environment/uri.php on line 164
[Mon Jan 26 19:39:47 2009] [error] [client 82.196.123.58] PHP Notice:  Uninitialized string offset:  -1 in /var/www/html/tperacing/administrator/components/com_virtuemart/virtuemart.cfg.php on line 28


[Void Main]

What do you want to remove mod_security? If so you could just:

# yum remove mod_security

then restart httpd.

[Basher52]

hmm, but isn't mod_security used for the https?

[Void Main]

No, that's mod_ssl.

[Basher52]

oh, yeah
how dangerous is it to remove it?
and since it's creating errors and warnings is that a clue to that something is wrong in the webpage?