gerardpacete Posted April 8, 2015 Share Posted April 8, 2015 Hi everyone, sorry I'm a newbie here. I want to know how to get rid of Additional Protection With htaccess/htpasswd warning on admin pannel under configuration>>administrators. I am using nginx not apache and thus .htaccess is not functioning. Attached is the photo. Its not a major problem actually but just a bit disturbing. OsCommerce is running very well on my own server. Thumbs up guys and thanks! LEMP Server Platform User/Administrator Link to comment Share on other sites More sharing options...
MrPhil Posted April 8, 2015 Share Posted April 8, 2015 First, you should be using your hosting control panel's option to password protect the admin directory (and its children), if such a service is offered. It has the best odds of working properly for you, on your particular server platform. Only if no such protection is offered, should you try to use what is shipped with osC (which may require considerable rewriting, if you are not on an Apache server). Second, /admin/administrators.php contains the code which gives you the warning. It attempts to read the DIR_FS_ADMIN/.htpasswd_oscommerce file, and if it does not exist, or does not contain certain information, it will give an error message. If you know for a fact that your admin is secured by other means, and need to eliminate the spurious error message, you could disable the check. Depending on your version, you might comment out most of the checks: # if (is_array($htpasswd_array)) { # if (empty($htpasswd_array)) { # $secMessageStack->add(sprintf(HTPASSWD_INFO, implode('<br />', $authuserfile_array)), 'error'); # } else { $secMessageStack->add(HTPASSWD_SECURED, 'success'); # } # } else if (!$is_iis) { # $secMessageStack->add(HTPASSWD_PERMISSIONS, 'error'); # } It's possible that other operations, such as updating (rewriting) the password file, may need to be disabled, but we'll cross that bridge when we come to it. Link to comment Share on other sites More sharing options...
gerardpacete Posted April 12, 2015 Author Share Posted April 12, 2015 @@MrPhil Thanks, I will try your suggestions. I am running my own server and I can customize it the way i need it. As far as security issues is concerned, there will be no problem if i disable those security checks right? I already tried to delete the .htaccess last time since my server does not actually impose its rules and I get those errors that you mentioned. Its just that i cannot keep my self disturbed seing those red and warning lines B) And I post here because maybe other have alternative ways instead of using .htaccess as secondary level protection. I am not that expert in server supercomputers yet and still on the process of learning specially security layers. And all this open source community teach me a lot. Thanks again and looking forward to contribute in this community soon. LEMP Server Platform User/Administrator Link to comment Share on other sites More sharing options...
MrPhil Posted April 12, 2015 Share Posted April 12, 2015 If you are running your own server to save money, you are very likely to be hacked. About 90% of running a server is keeping on top of the latest attacks and how to secure your system. From the questions you're asking, you don't sound very experienced on the security aspects of running a server exposed to the public. Good luck. I don't think there's any harm in turning off the warning about password protection, provided that you are actually implementing some equivalent security measures. It's just there to remind you that your store is not as secure as it could be. It's not going to disable your store if it finds that you have no password protection. Link to comment Share on other sites More sharing options...
gerardpacete Posted April 28, 2015 Author Share Posted April 28, 2015 If you are running your own server to save money, you are very likely to be hacked. About 90% of running a server is keeping on top of the latest attacks and how to secure your system. From the questions you're asking, you don't sound very experienced on the security aspects of running a server exposed to the public. Good luck. I don't think there's any harm in turning off the warning about password protection, provided that you are actually implementing some equivalent security measures. It's just there to remind you that your store is not as secure as it could be. It's not going to disable your store if it finds that you have no password protection. Thanks! I just remove all those red warning lines since htaccess is not valid on my server as well. :) But if you can advise further security measures for the store in NGINX that works like apache htaccess will be much appreciated :) I am aware for security measures of server-side computing(although not so experienced yet) on NGINX platform though. And sometimes, I personally let attackers hack my system so i can be more wary of their ways and methods. :- For now, i will mark this thread solved as my question in full-details. Cheers bro! :beers: :) LEMP Server Platform User/Administrator Link to comment Share on other sites More sharing options...
oscMarket Posted April 28, 2015 Share Posted April 28, 2015 Just as a side note/warning: it is almost impossible to run osC (save) on nginx as it rely also for the -includes folder, -the images folder, -the downloads folder etc etc on htaccess. So beside just your question for the admin.... be aware that these folders are also accessible. Link to comment Share on other sites More sharing options...
gerardpacete Posted April 28, 2015 Author Share Posted April 28, 2015 Just as a side note/warning: it is almost impossible to run osC (save) on nginx as it rely also for the -includes folder, -the images folder, -the downloads folder etc etc on htaccess. So beside just your question for the admin.... be aware that these folders are also accessible. I appreciate your concern Sir but actually im running the osC on NGINX without any issues yet. I also secured the directories using NGINX http authentication. As i checked in the internet it is actually the same as apache .htacess or .htpassword security protection. :) Thanks and Regards to all!!! :) LEMP Server Platform User/Administrator Link to comment Share on other sites More sharing options...
gerardpacete Posted April 28, 2015 Author Share Posted April 28, 2015 For Update: I already know how to set the NGINX http athentication to work just the way osC need it to. Now i changed back all the changes i made on administrator.php to check everything including the security feature and no more red warning signs :) Thanks for your help guys and thanks for the security advises. That made me really think how to cope up with osC suggested security features :sweating: Cheers! :beers: LEMP Server Platform User/Administrator Link to comment Share on other sites More sharing options...
oscMarket Posted April 28, 2015 Share Posted April 28, 2015 If post your solution here: http://www.oscommerce.com/forums/forum/12-tips-and-tricks/ It could be usefull for others. ;) Link to comment Share on other sites More sharing options...
gerardpacete Posted April 28, 2015 Author Share Posted April 28, 2015 If post your solution here: http://www.oscommerce.com/forums/forum/12-tips-and-tricks/ It could be usefull for others. ;) Ok man, No problem! o:) :thumbsup: LEMP Server Platform User/Administrator Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.