d-woo Posted December 28, 2002 Posted December 28, 2002 Hi all... I did a search for admin security and variants thereof with no results... I have configures the snapshot from 12-26-02 with no problems on my box... Wondering if its possible (on Unix server) to have the admin directory above the webroot for security...I'm aware that I can password protect it...but it would feel a lot better to have it out of reach... If anyone has done this successfully please let me know...thanks!
jficarra Posted December 29, 2002 Posted December 29, 2002 I haven't done it with OSCommerce, but under Apache you can do this with an Alias directive in the httpd.conf. Look in the Apache documentation on how to create aliases. You'll then need to correctly configure under ?/admin/includes/configure.php. I don't see any reason why this shouldn't work.
Guest Posted December 29, 2002 Posted December 29, 2002 Since the Admin installation is used from your Web browser, then you cannot have it outside the web-root. You can however use SSL along with .htaccess to secure your admin control panel. With .htaccess, you can restrict access by username and password and if you have a static IP even by IP address to make it more secure.
jficarra Posted December 29, 2002 Posted December 29, 2002 Wayne, Why would the admin installation from the web browser cause a problem? In the install, you specify the physical path and virtual path (relative to the document root). As long as it's made accessible from Apache via an Alias, I don't see why this will not work. If there are problems with it due to the nature of the install, there should be no reason why you couldn't move the admin folder outside the document root after the standard install and manually make changes to configure.php to point to proper locations Again, I have not tried it...perhaps I will try it later on this evening on my Linux box. -Jim
jficarra Posted December 29, 2002 Posted December 29, 2002 I stand partially corrected. :oops: I did a test install under Win2K and tried to specify the admin outside of the document root. It did not work since the install specifies that the admin is under the doc root. However, after installing with the admin under the doc root, I was able to move the admin folder to an IIS Virtual Directory (for all intents and purposes, the equivalent of an Apache alias). After changing the DIR_FS_ADMIN parameter (the physical path to the admin directory) in the /includes/configure.php, it worked just fine. I added a product and it showed up in the catalog. If I have time later tonight, I will try this with Apache on my Redhat box....I have a Blade 2 on Pay Per View coming on in a few minutes and I won't have time now. :)
jficarra Posted December 29, 2002 Posted December 29, 2002 Ok, I just tried this on Redhat and it works just fine. As I said earlier, the trick is to install it in a standard fashion so that both the catalog and the admin directories are underneath your document root. Here's what you do after a successful installation: 1) Move the /admin directory and it's contents, including permissions, to the destination of your choice. 2) Modify the DIR_FS_ADMIN parameter in the *newly moved* /admin/includes/configure.php to point to the new physical location 3) Ad an Alias to httpd.conf to reference the "out of doc root" directory with a virtual /admin path. Save httpd.conf 4) Restart Apache. You're in business. Good luck. -Jim
Guest Posted December 29, 2002 Posted December 29, 2002 Wayne, Why would the admin installation from the web browser cause a problem? In the install, you specify the physical path and virtual path (relative to the document root). As long as it's made accessible from Apache via an Alias, I don't see why this will not work. If there are problems with it due to the nature of the install, there should be no reason why you couldn't move the admin folder outside the document root after the standard install and manually make changes to configure.php to point to proper locations Again, I have not tried it...perhaps I will try it later on this evening on my Linux box. -Jim If you have an alias or virtual directory accessible from the web through a web browser, it becomes part of the document tree. irregardless of the location, it will fall under the document root for the web browser. When using terminology as mentioned in the first post, it makes the documents inaccessible from the web via a web browsing user agent.
jficarra Posted December 29, 2002 Posted December 29, 2002 Ahh...I think I misunderstood what you were originally saying, Wayne. My apologies. I assumed all D-Woo wanted was to have the physical location outside of the doc root, which can be done, and that he knew it would still need to be served from the web server. I'll leave that for him to clarify if he wishes. As a possible alternative solution (again, I haven't tried with OSC): Perhaps the admin pages could be served by a virtual Apache server on a different port or even different IP address and port combination depending on your control of that machine. This would significantly separate the admin from the catalog. Again, depending on your control of the machine, for further security you could setup ipchains or iptables and restrict access to the admin pages on the other port for your IP address (more difficult to do if you have a dynamically assigned address from your remote admin machine). This gets fairly involved and may be overkill for what you want, D-woo, but it can be done. -Jim -Jim
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.