Forum

Hiawatha version: 8.7
Operating System: Ubuntu 12.04 Desktop

Setting up CodeIgniter and one of the big things they do is set up .htaccess files with Deny All so a client doesn't have access to browse a directory. My question for you is how do I set up it up with the .hiawatha file? I see in the main .conf file there is a Directory Settings.

I have it it set up like so :

Directory {
        Path = /usr/local/var/www/CodeTest
        AccessList = Deny All
}

I try to restart the server and I get a aerror on line 219 (the AccessList line)

Now I know hiawatha is default to not follow symlinks, so I won't have to worry about people creating a symlink to the conf file for a possble exploit, but now I want to be able to control my website root directory so people won't be tempted to go snooping around.

As always thank you and I hope this is a simple fix (in my errors)

-RaGe

Try 'deny all' instead of 'Deny all'.

Thats a face palm moment, it works, but it works to well as in it bans me now. Is there a way for it to not ban me from using the index.php page and the app itself? I don't want anyone to guess direcotiries. But now what this does it just restricts everyone from even accessing the application.

To my understanding using this configuration does the following :

1) Does not allow any one to go to www.example.com/plain-text-passwords.txt
> so if somone tries to go around checking for files in a directory they will not be allowed to do so.

But it is having the opposite effect as in anyone who goes to www.example.com is getting a 403

Is this correct?

I can however allow my IP but then that would be conterproductive as if I allow an IP it will then serve to how ever many people are inside that IP as this application will be used at a local college with over 600+ IP's (easily) they will be some how linked with the same IP. So in tern 600+ have access to the app and its directories.

-no?

Is there a way to filter via internal IP... (192.168.x.x)?

Alright, I can allow/disallow via internal IP's

VirtualHost {
        Hostname = www.rixcodetest.com
        WebsiteRoot = /usr/local/var/www/CodeTest
        StartFile = index.php
        AccessLogfile = /usr/local/var/log/CodeTest/access.log
        ErrorLogfile = /usr/local/var/log/CodeTest/error.log
        TimeForCGI = 20
        UseFastCGI = PHP5
        PreventCSRF = yes
        PreventSQLi = yes
        PreventXSS = yes
        EnablePathInfo = no
        ShowIndex = no
        UseToolKit = codeigniter
        AccessList = deny all

and

Directory {
        Path = /usr/local/var/www/CodeTest
        AccessList = allow 192.168.1.4, deny all
}

This seems to work. I think what this is doing is first off : deny access to every one from accessing the virtual host, but then the directory is allowing access from my test bench only based on its internal IP... but question... if the virtual host has accesslist = deny all shouldn't that (in theory) not allow any one to access the host name / virtual host?

is my logic "f"-ed up here?

Thanks for the reply Hugo,
-RaGe

I've made the AccessList parameters case insensitive. Options set via Directory{} will overwrite (virtual) host settings. In your example, you could also have placed the AccessList option in the Directory block inside the VirtualHost block. Is shorter. And by the way, you were not banned, you were just denied access.

Alright. This is well written. Thanks Hugo, hopefully one day some one has the same issue as I do and then they can luagh at my questions

No problem. I don't mind these kind of questions. For me, it's an indication that the documentation should perhaps be more clear... assuming that you've read it of course.

Oh I have I only ask questions when I brake something, and in this case I broke something

Hi Hugo sorry to revist a old topic, alls well here with Hiawatha and CodeIgniter, however, I do have a question.

So I have set up my directories like so :

Directory {
        Path = /usr/local/var/www/CodeTest
        AccessList = allow 127.0.0.1, deny all
}

Directory {
        Path = /usr/local/var/www/CodeTest/ci
        AccessList = deny all
}

Directory {
        Path = /usr/local/var/www/CodeTest/ci/system
        AccessList = deny all
}

Directory {
         Path = /usr/local/var/www/CodeTest/ci/application
         AccessList = deny all
}

However, I am still able to (I as in my IP = 127.0.0.1) to go snooping around the directory for pages that might exist. Now at the moment it is not a problem. But come production this might be a problem as some one can spoof their IP's to one of the allowed ones (There a total of around 500 hardwired computers on campus so he or she will have to find the 13 allowed). But still it COULD BE plausible, and I don't want to go to sleep at night with this on my chest.

How can I have it so that even I am banned from snooping around in the directory? If you take a look at my options :

I ban every one (including myself) from /CodeTest/ci = the folder that holds application and system and
ban every one from system itself and every one from application, however I am still able to snoop around with the URL addresses.

I even went to each of my directories and put a index.html file in them which says "Access Denied" and then also put a .hiawatha file in with "AccessList = deny all"

still to no avail. Is there a fix around this?

First, note that spoofing an IP address is not easy. You cannot spoof someone's internet IP address for making real TCP connections. However, for LAN IP addresses this might very well be possible. How easy it is for a campus depends on how IP addresses are assigned and how well the subnets are seperated and protected against spoofing. If you want to be sure about authorization, use HTTPS and HTTP authentication.

All the problems that come with people browsing directories is one of the reasons I made my own secure PHP framework. Already taken a look at that? It's a much better secured framework. All the lessons learned from my work as a ICT security auditor have been put in that framework. I even dare to say that there is no PHP framework that is more secure.

Man you put all your word towards that framework. It sucks I am pressed for time and I had to use something I am fairly familure with. This project is due in 2 weeks and I won't have time to learn Banshee and write up the code needed for the application to work. I quite frankly don't even know how banshee operates to be honest with you. I saw the folders (MVC) but then I also see the CMS which confuses the heck out of me. Is banshee a CMS + framework fusion?

Banshee should best be seen as a framework (using it to build a website requires coding, not only clicking), but it has basic CMS functionality. The framework is public/index.php and the files in libraries. The CMS is all files in controllers/admin, models/admin and views/admin. The rest of the files in the MVC directories is ready to use functionality like a forum, weblog, guestbook, etc. But, if you need something to be ready in two weeks, you indeed better stick to something you already know.

I'm going to look more into it. Do you have any examples of sites using this framework? As I'm Moe into application development. I'm using code igniter for a crud app that tracks students. Looking at the cms part of banshee I see it as a purely website development platform. Correct me if else

I don't know what you mean by 'development platform'. In my opinion, the CMS is ready to use. It's good. The other MVC files should be seen as good starters to write functionality. The weblog, the forum, the guestbook, they all work fine. But they probably need adjustments to suit your need.

Examples of websites made with Banshee: http://www.security.nl/, http://www.reki.nl/, http://www.hiawatha-webserver.org/, http://foto.leisink.net/, http://www.blikvanger.net/

Sorry for the vauge terms. What I mean is, I see banshee as a website creator for public forums, bullet tin boards, blogs, photos, and the like. I don't see it as something I can use for development of an intranet. (this is with VERY BASIC banshee understanding btw)

also you should add those example sites to the banshee website.

That's not true. I've used Banshee to create several administration webapplications for my work. Just use the 'remove_module' script to remove all modules and what's left is the framework you can use to create any kind of website or application you want.

Ah, alright, I'm almost done with the current project once I complete it I am going to be building a website/portfolio/blog/photo galary. I look deply into XSLT, to my understanding its got some XML like structure (in the way it looks) I'm sure its not rocket science. Thanks hugo!

Add ?output=xml to any Banshee-based website and you'll see the XML that was used with the XSLT sheet to render the HTML output. XLST is really easy.