Monthly Archives: March 2011

.htaccess useful options

This is a post that I started to remind me of what the correct syntax is for the .htaccess file. But given that it has kind of grown to include a heap of .htaccess info I thought it wise to highlight the Apache official .htaccess tutorial pages. Given the information in that tutorial only use .htaccess if you really need to and preferably use the correct httpd.conf (apache2.conf or similar depending on your distro) for the commands as it will help with system performance. That said, there are a number of things that I use .htaccess for, here are some of them.

Edit: Have not read this as yet, but it seems to contain a heap more detail. http://www.askapache.com/htaccess/htaccess.html

The following came from http://www.buildwebsite4u.com/advanced/htaccess-file.shtml:

Redirecting YourSite.com to www.YourSite.com
If search engines find both www and non-www links from other sites to your site, they may treat http://YourSite.com and http://www.YourSite.com as two different websites with the same content. This means that your site can be penalized for duplicate content. Many experts recommend to set up a 301 redirect (permanent redirect) from YourSite.com to www.YourSite.com…

The code for this would be:
[php]
RewriteEngine On
RewriteCond %{HTTP_HOST} ^YourSite.com [nc]
RewriteRule (.*) http://www.YourSite.com/$1 [R=301,L][/php]

Of course, using the .htaccess file and having all the correct paths enabled will help.

My default SME Server uses Apache2 and I have found that in order to use .htaccess and htpasswd effectively I had to add / enable some modules in the /etc/httpd/conf/httpd.conf file.

Setting aside the fact that SME Server needs to have specific templates updated, the Centos distro that it is based on will be similar to this (I expect).

I did enable a number of auth type modules to address a number of errors.  In each case the /var/log/httpd/error.log was where the errors were recorded.

.htaccess: Invalid command ‘AuthUserFile’, perhaps misspelled or defined by a module not included in the server configuration

was fixed by enabling

LoadModule authn_file_mod modules/mod_authn_file.so

While the error

configuration error: couldn’t check user. No user file?

needed to have the Basic Authentication module enabled in the LoadModules section of the httpd.conf

LoadModule auth_basic_mod modules/mod_auth_basic.so

needed to have Basic Authentication enabled. Note that by default Digest is enabled but given that Digest provides little security above Basic I am ok with using Basic with SSL. Note that the SSL is essential for Basic Authentication to be of use. Read the info from Apache on Basic v Digest as I think it makes it clear.

…and another error

configuration error: couldn’t check access. No groups file?:

needed to have this module added.

LoadModule authz_user_mod modules/mod_authz_user.so

at this point I could login from the browser and got a prompt to access the directory. However there was still an error in the log which stated:

/.htaccess: order not allowed here

This was because I had not completed the AllowOverride construct in the httpd.conf file.

In my httpd.conf I have sections for each virtual site / directory on the server.

Options None
Options +Indexes
Options +Includes
AllowOverride None
order deny,allow
deny from all
allow from all

in which the ‘AllowOverride None ‘ directive will ignore .htacess, while setting it to AllowOverride AuthConfig will allow it to check for a username/password it also needs the AllowOverride Limit to avoid the error about Order.

So to summarise the httpd.conf change I added a specific directory directive for the directory I am securing with htaccess/ htpasswd with the following:

AllowOverride AuthConfig Limit
order deny,allow
deny from all
allow from all

oscMax as an alternative to osCommerce and CRE Loaded.

I downloaded oscMax 2.5beta3 today as I am experimenting with osCommerce & CRELoaded without the success I wanted. oscMax retains the appropriate open source policy that CRELoaded seems to lose within its own conflicting interest of selling the ‘fully featured’ version. While the original osCommerce still languishes behind Harald’s dominance of the code and lengthy periods of apparent inactivity.

Why am I looking? Because I recently discovered that my old version of oscommerce had succumbed to hacking. I dont need to publish the details but suffice to say that while I have cleaned up the mess, I am skittish about it happening again and I want to bolt it down as much as possible. To do so I want a current stable platform without needing to manually edit / install a small mountain of add-ons.

CRELoaded has been a great alternative over the years but the above mentioned conflict as they try to make a sale-able product along-side a cut-down version as a loss-leader just does not work for me.

Enter oscMax. Yes, it has been around in various forms for a number of years, but I have only just tried it in it’s latest version.

Verdict? The case has only just started, but it’s osCommerce, pre-loaded with most of what I need, and fully open source. So at this stage I am working on a trial system and tweaking what I need to make it work.

oscMax Admin page reports configure.php as writeable when it is not

My first modification to oscMax while I test it for use on my store.

The admin screen on first login will advise if the includes/configure.php file is writeable. This message will persist regardless of the settings of the includes/configure.php

The issue is that the admin/includes/configure.php settings are referenced with the same error message settings as the catalog configure.php.

An option to fix this is to rename the constant in admin/includes/languages/english/index.php at line 115, but given that both the catalog and admin files should be checked as a rule, I’ve added a new constant for the admin file and made another alteration to test both files.

This will help new users when first setting up oscMax as I think the admin screen is commonly the starting point and to highlight the permissions issue for the catalog in admin as well would be helpful.

The required changes to support this are:

admin/includes/languages/english/index.php
modify the setting at line 115

[php]define(‘WARNING_CONFIG_FILE_WRITEABLE’, ‘Error: I am able to write to the catalog configuration file: ‘ . (DIR_FS_CATALOG) . ‘includes/configure.php. This is a potential security risk – please set the right user permissions on this file.’);[/php]
:: only change is to add the word ‘catalog’ in the text.

Then add a new constant setting at line 116
[php]define(‘WARNING_ADMIN_CONFIG_FILE_WRITEABLE’, ‘Error: I am able to write to the admin configuration file: ‘ . (DIR_FS_ADMIN) . ‘includes/configure.php. This is a potential security risk – please set the right user permissions on this file.’);[/php]
:: the main changes here highlight that its the admin configure file that is the issue.

Then update the system.php file that calls the above messages:
:: the main changes are copying the config check to test the catalog configure, the nesting of the dirname function to get the parent directory for the catalog, and the change to the code comments to differentiate between the two checks.

admin/includes/modules/dashboard/system.php
at around line 117 to modify the existing admin file check to use the new constant above and to copy/modify this section of code to check the catalog at the same time.

This should result in the admin home screen presenting two different warnings if either (or both) of the configure.php files are writeable.

If you copy and past from the above you should paste it to an editor that will check syntax as the formatting 0f the ‘ characters is incorrect. The comments are also doing something funny and I had to edit them.  I’ll try to update this post with working copy and paste at some stage.