I'm trying to create an UnderConstruction page for my new site.
I would like to retain all the core files (files that are part of the site) without modification while I try to implement this. This includes leaving the index.php intact.
Currently, I have an .htaccess setup to authenticate on any access to the site.
I want to redirect any user accessing any page (at least the index.php) to an UnderConstruction page and then leave a link there which my dev team could use to authenticate themselves and continue using the site as usual.
But in order to leave the core files intact, I would have to initiate the htaccess type authentication & then in index.php (assuming that index.php is excluded from the cuth) check the auth status.
I tried to play around with $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] but these (as I understand) requires me to manually implement the authentication scheme (ie checking against a list of username & passwords).
I'm working on an apache with php5 on a linux server.
Any ideas?
You should just mirror the dev version of the site to a subdomain like dev.mysite.com and then keep the under construction stuff on the main domain. This way you can secure the dev domain and still keep your under construction page going and the two will be isolated.
put this on htacces for each file u wanna lock
Redirect /file.extension http://www.uroot.com/index.php
Related
Been searching for an answer to this but read some conflicting reports.
I have a asp.net website with forms authentication setup and I'm adding some php pages to a subfolder within the site. I want these pages to follow the same authentication as the rest of the site, ie be bounced to my asp.net login form if not logged in.
Currently if I access a file http://localhost/test/test.php it is serving it even if I'm not logged in. However if I just browse to the folder http://localhost/test/ it does bounce me to login page. Guess I need to force these PHP pages through the asp pipeline but is this possible in classic mode / iis6?
I seem to have got this working by doing the following:
Convert folder containing my app into an application in iis 6 manager
Click Configuration in the Directory tab of the properties dialog for the above folder and define a wildcard mapping pointing to c:\windows\microsoft.net\framework\v4.0.30319\aspnet_isapi.dll
Our site is powered by Wordpress and I'm using a plugin which allows users to upload files. We have reasonable security in place to prevent malicious files from getting loaded to the server by users, but those files are then directly accessible to the public. For example, anyone can directly access any of those files like so:
http://www.website.com/path/to/files/file_1.pdf
http://www.website.com/path/to/files/file_2.pdf
http://www.website.com/path/to/files/file_3.docx
This is a security/privacy problem because those files could contain personal data that should not be available to anyone.
I know I can block access to the entire directory using .htaccess but then the plugin will stop working. Instead, I think I need to use .htaccess to redirect those requests to a script which checks if the current user is authorized to view them. The tricky part is that direct requests to those files bypass the Wordpress app, so none of the core functions (like is_user_logged_in()) are available if I redirect to some intermediary page.
It seems like I either need to write a script to check for the Wordpress authorization cookies manually (which sounds like a huge hassle) or somehow loop in Wordpress.
Any suggestions for an elegant way to add this security layer without breaking the plugin?
I have a multi-tenant SaaS platform and a customer wants to customize the look and feel of the login page and the dashboard page. I was able to successfully customize the dashboard page by storing the name of the CSS file to use in the ACCOUNTS table of my database. This works because I know which account to get from the database once they log in. However, I do not have this capability for the login page.
Is it possible to customize which CSS file or login page to use based on the DNS? For example, customerabc.server.com gets the generic login page. customerxyz.server.com gets their custom login page.
I am using Apache and PHP. Thanks.
Yes just configure an apache subdomain to the same docroot and react in your application on the different domains.
I was able to do this using apache vhosts. The ServerName property needs to match the root URL/URI and to ensure that all includes are being set properly, You have to have a copy of the php.ini file in the root directory so that you can make changes to the include_path here and not affect other install instances elsewhere.
I am on the way of building a SaaS application using Zend Framework on PHP. Here is the basic information of the project. Its Project Management System on SaaS model. When the user registered on the site, they will get a domain name like the format:
user_name.pms.com
user_name - The chosen User Name when the user registered on the Project Management System (pms)
pms.com - is the main SaaS Server.
Currently we provide the Sub Domain on our Server. And for big firms, it won't look good and they may prefer to get their own domain instead of this default one. So there may be:
user_name.pms.com [Always Present]
user1.com [ The custom or independent domain of the User ] This custom domain needs to link into the default user url.
The full website is planning to develop using Zend Framework.
On Zend Framework, we are having following HTAccess on the root folder for its working and is below:
SetEnv APPLICATION_ENV development
RewriteEngine On
RewriteRule .* index.php
Here are my questions:
Do I really need to create Sub Domain like profile url for all users once they registered on the site ?
If it need to create Sub Domains, can PHP check whether the chosen sub domains exists or not and can create Sub Domains from the Script itself ?
If there is no need to Sub Domain, can we achieve the same goal using HTAccess in Zend Installation ?
Can you provide the HT Access code which does the following:
"user_name1.pms.com" need to redirect to "pms.com"
"user_name1.pms.com/contact" need to redirect to "pms.com/contact"
ie any request on the Sub Domain like URL must redirect to main website with the format: pms.com followed by Query String.
Very Important:
Important 1:
When I said the redirect to main website, I need to keep the sub domain like URL on the address bar but the request will be served by main website.
ie "user_name1.pms/contact" is going to be served from pms.com/contact but on address bar we still see the url "user_name1.pms/contact"
Important 2:
Whenever we uses the HTAccess to redirect the request to main Zend Server, can I identify the actual url entered on the address bar ie "site1.pms or site1.com" ?
Another Question of Custom Domain Redirection:
The custom domain name like "site1.com" or "site2.com" need to redirect to either:
Option (a): "pms.com"
Option (b): "site1.pms.com
to serve the request. Here also, I need to keep the url on address bar same like the one user entered.
Which above option is better (a) or (b) ?
Which technology does this work, domain mapping or CName ? Or Any other technology for make this working.
There are several ways to get you at least near to what you want... but to get all of the way there, you're going to need to get a little more depth.
First of all, your questions:
You may need to actually set up a whole virtual host for each user, if you intend for them to be able to interact with your site through their own domain. If you just want them to have their domain redirect to yours that can be done at their registrar (and if they can successfully use masking, which I've always found problematic, it may work completely without doing this. If you ignore the custom domain requirement, then you can manage subdomains completely through mod_rewrite without having to actually set them up.
Probably the best architecture for your site is to proactively set up whatever needs to be set up the moment that the user signs up. Don't try to do it "just in time" when the user first tries to access it, and therefore it's just as simple as displaying an error when someone, say, types in usre.pms.com rather than user.pms.com.
You can use htaccess, or the config file for your site (which is better for performance, but just strictly for "getting done" purposes, htaccess will work fine).
Google
Very Important Point #1: this is how mod_rewrite works. No worries.
Very Important Point #2: yes, so long as you include that information to be passed along in your mod_rewrite rule
Your Last Question of Custom Domain Redirection:
This is where things get complicated. You can't serve site1.com from pms.com without apache being fully aware that it's looking for site1.com (unless you get forwarding with masking to work without issue at the registrar). Generally speaking, if you're using forwarding of some sort, then you'll want them to forward to the subdomain, and all will be good completely through mod_rewrite. If they are directing the domain straight at your server, a CNAME record is probably the right choice, directing to the subdomain, but you'll still have to learn about virtual hosts and how to properly set it up to get everything to work.
I think you may be signing on for more than you realize by letting your clients have their own custom domain. You can learn how to do what you want with subdomains probably in an afternoon or a couple days tops. Figuring all of the ins and outs to working with custom domain names could take a lot longer.
The sub domains can be handled using some technique in CPanel. To add vurtual sub domains from CPanel, do the steps:
Select "CPanel - Sub Domains"
Enter star and choose your domain name
Choose the directory to which you need to redirect
And handle the redirection from your page.
To develop a SaaS application using Zend, check the tutorial SaaS application development using PHP in Zend Framework
Background
I'm looking for a transparent, PHP-driven authentication layer for a web site.
I'm aware of the following simple approaches:
HTTP Authentication
Mechanics:
Apache controls access rights;
Attempts to access any file in a given directory transparently require HTTP auth if not already authed.
Downsides:
Limited configuration options;
Difficult to integrate with existing user database;
No control over visual presentation of login prompt.
PHP-based login
Mechanics:
PHP controls access rights;
Attempts to access any file explicitly built for the system if not already authed will result in redirection to a login page.
Downsides:
If I forget to write the required include "login_required.inc.php"; or similar at the top of any PHP file, that file will be accessible by anybody.
What I want
I'd like to implement the PHP-based login solution, but to somehow configure Apache to invoke login_required.inc.php (or similar) transparently as an intermediate step when any PHP file is requested.
This script will:
run;
check session variables;
tell Apache either "yes, produce the requested page" or "no, redirect to the login page";
not require code to be inserted at the top of every PHP script that requires authentication.
Is this a pipe dream? Or can I do it? And if so, how?
If you rewrite all php requests through index.php, index.php/php would then control access to anything.
RewriteRule ^(.*)$ /index.php?pageid=$1 [QSA,L]
Something like that will push any request to index.php, in which you can do your authentication and then it will farm out the content...
The QSA in this will retain any query string parameters etc.
I think you should restructure you website to use a Front Controller. There's a reason that pretty much every framework uses the FrontController pattern: single point of access makes your app simpler.
One possibility is to use .htaccess ModRewrite to redirect all requests to, say, login_required.php?redirect=<ORIGINALLY-REQUESTED-SCRIPT>.
login_required.php can then perform its magic and do one of the following:
Present a login form
include <ORIGINALLY-REQUESTED-SCRIPT>.
Note that a header("Location: <ORIGINALLY-REQUESTED-SCRIPT>)"; will, I believe, merely fall foul of the .htaccess again and cause an infinite redirect loop! Setting the .htaccess ModRewrite directive to only conditionally redirect based on the value of HTTP_REFERER is not secure enough.
This is not the preferred solution, but it's a possibility...
Another possibility:
Have only a single entry-point. Just one file that's accessible from the outside world, like index.php?target=<REQUESTED-SCRIPT>. This one file can contain the authentication logic and include the required script.
All other files would be blocked from external access by .htaccess, or simple file permissions.
This is a good solution, but it would be a large change to update all URLs throughout the existing system.
Edit Apparently this is called the "Front Controller" pattern.