Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Problem setting up - .htaccess / Indexes - admin looks weird


hughm

Recommended Posts

OK so I've got OSCommerce up and running and I'm really happy with it. One problemette is that the security check is is telling me to disable indexing on a particular folder for security reasons. What I do is:


  • modify /etc/apache2/apache2.conf for /var/www, setting "AllowOverrides" to "Indexes"
  • change $oscommerceroot/admin/.htaccess to include "Options -Indexes"
  • restart Apache.

The shopfront then lacks any images, and admin isn't accessible at all: "The server encountered an internal error or misconfiguration and was unable to complete your request."


Any ideas very gratefully received.


Best wishes


Hugh


Link to comment
Share on other sites

Normally, Options -Indexes should be enough to stop indexing. Note that many hosts these days forbid Options on security grounds, but it sounds like you have full control over the server. I'm not familiar with the AllowOverrides, or when it might be needed (I suspect that it enables your using Options in .htaccess). You might check if Options rather than Indexes is the parameter to use.

 

Do the images work, and is admin accessible, after you back out your changes? Or could other changes be affecting you? Do you have hotlink protection enabled on your images? If so, were you careful to whitelist your site? Do you have any .htaccess entries affecting your admin directory, such as password protection? Maybe your password protection is incorrectly specified for your particular server -- do you have any sort of control panel that does that for you (cPanel, etc.) or are you totally on your own? Anyway, comment out everything, then add things back in one at a time to see what is causing the problem.

Link to comment
Share on other sites

Thanks Phil.

 

Yes, if I comment out the entry in the .htaccess file, and change the global server options back to "AllowOverrides None," it works again.  Very strange.  It's a bit of a problem as I love oscommerce but I can't really go live with it telling me "security risk" in red!  

 

I don't have hotlink protection on images, I didn't know that was a thing.

 

There is no password protection on the admin directory (I was going to add that once I solve this problem).

 

I thought about installing webmin, but I'm a bit loathe to do so as the server can see the Internet and I don't want anyone taking over the webmin.

 

Maybe I will have to pony up for the paid support.  I'm trying to start the business on a very limited budget so it would be great to avoid that if poss.  I would of course look to contribute to the community further down the line.

 

Thanks again for your thoughts.

 

Hugh

Link to comment
Share on other sites

AFAIK, customers won't see the "security risk" warning. You might try it as a random customer. If only you see it, you can ignore it while you figure out what's going on. Note that you can always put an empty index.html file in that directory to prevent indexing, even if that doesn't shut up the warning.

 

Hotlink protection is a section of .htaccess:

  RewriteCond  NOT coming from these host(s) [you, and trusted other sites], and

                        IS various graphics format file extensions

  RewriteRule   KILL the attempt to access

That's the most common reason for being unable to access images, if your own site is not listed in the whitelist. If you have an .htaccess in the images directory(ies) that is invalid, that could also prevent access.

 

If you are trying to manage a full server yourself, but have no experience in the area, I'm afraid you may be in for some tough sledding. You should have started with a shared server, managed by someone experienced, and only after you outgrow it go to VPS/cloud or dedicated.

 

Allowoverides None is telling the server to ignore your .htaccess file(s) (I just looked it up). http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride suggests to me (I haven't tried it) that you want Allowoverides Options, not Index, Give it a try if you haven't already.

 

Image display and admin access shouldn't have anything to do with each other, so it's a puzzle, unless you have multiple problems with your configuration and/or .htaccess file(s). The "internal error" (500 code) message can mean a lot of things, including invalid commands in .htaccess, (e.g., Options -Indexes when you haven't properly permitted Options).

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...