I'm using phpfastcache with files strategy. I'm caching sql queries.
As I see phpfastcache creates folders with subdomain name (ex. www.domain.pl).
I have admin panel in admin.domain.pl which calls api.domain.pl.
Problem is that when I, for example, want to clear cache from admin panel it clears api.domain.pl directory - not www.domain.pl.
Can I turn off subdomains in phpfastcache? I don't see such option.
Edit:
I found answer here: https://stackoverflow.com/a/33848394/979911
Accordinglly to: https://stackoverflow.com/a/33848394/979911
phpFastCache::setup('securityKey', 'phpfastcache'); is responsible for directory name
I'm a bit late on this, but a quick heads up on the securityKey:
In your example you tend to mutualize your website cache and admin cache.
This could to potential security issues as the cache directory are not longer compartmentalized.
I warmly advise you to setup two different security key and call them from your admin panel.
Related
Can anyone tell me how I can change the path to the admin on SilverStripe 3.1.x? A site I built has a medium risk security issue outstanding from a security scan - apparently the path /admin is too easy to guess.
The recommendation is to:
Modify the link, name or location of the administrative login page so it cannot be easily
identified/guessed by an unauthorized user. If only internal users require access, implement
additional restrictions to restrict access from the Internet.
I found something for SilverStripe 2.x here: http://www.silverstripe.org/archive/show/3550 , but I need something similar for SilverStripe 3.1.x
Not fully test but adding those into your config.yml seem to do the trick:
Director:
rules:
'admin': ''
'fancyLongAdminURL': 'AdminRootController'
AdminRootController:
url_base: 'fancyLongAdminURL'
LeftAndMain:
url_base: 'fancyLongAdminURL'
Only thing I can see not working is the myProfile link in the top left corner. But that's because the url is hard coded in the template LeftAndMain_Menu.ss, which you could create your own.
Edit: The above should work fine for the framework. For the CMS and other modules, this will have to be investigated and may need more classes/templates overrides, for example:
The CMS seems to have hardcoded admin url in
Intall_deleteinstallfiles.ss, AssetAdmin.js, VirtualPage.php,
SiteTree.php, AssetAdmin.php, routes.yml....
The Reports module have it hardcoded in Report.php
In those cases maybe a URLRewrite might be more convenient until this is implemented in the core.
Update: This has now been merged into the master branch so it should make its way into the next 4.0 release:
https://github.com/silverstripe/silverstripe-framework/pull/3274
No, there isn't currently any mechanism for changing the admin path. If this is something you really think should be in core, you could consider raising an issue for it.
It's interesting that there is an issue with this. SilverStripe is used for a large number of Government websites and the website of a major bank, so it should have passed quite a few code audits in the past.
The best course of action would be to use .htaccess or similar method to restrict access to /admin to a whitelist of IP addresses. This is far more secure than simply changing the path - "security through obfuscation" is not true security.
The client wants to make the site (webservice, as he named it), where users can create their own pages, including with JS scripts, etc. I see two ways - using the folders:
http://service.com/user/name/ ...
and subdomains:
http://user.service.com/...
Both paths are not the problem, but the client wants to make it using folders for SEO benefits.
I think if I use folders, it will make the site less secure. For example, user can send AJAX request from its page and the server will respond him. If it was a sub-domain, in accordance with the SOP (Same Origin Policy) request would be rejected. Correct if I'm wrong.
Is it real problem with SOP for folders?
Are there any other security issues for folders?
Is it safer to use subdomains?
Continuing study this issue. As I understood, in case of using folders user also can create page with Black Hat SEO and search Engines will ban my domain. Am I right?
So I can already see 2 security issue in folders and no way to fix it. Are there solutions for it? Are subdomains really more safer or they have other issues?
I am developing a website with CakePHP.
I have an AdminsController for admins to authenticate. However I want create extra security by adding .htaccess password protection.
I tried to do it by adding .htaccess and a .htpasswd files in my Admins view directory since I want the other pages of my site to work normally, but it doesn't work.
So how to add .htaccess and .htpasswd for only a specific view?
In my AdminsControllers's beforeFilter method I've added :
if(env('HTTP_HOST') == 888.888.888.888 || ......),
The list of IP addresses that should be allowed. Can I say that it is safe now?
I think you might want to investigate the other authentication components that CakePHP has to offer. BasicAuthenticate should be of particular interest.
If you go down this route, the authentication will still happen against a userModel rather than a .htpasswd file.
As for the IP restriction, that should be relatively safe. IP spoofing is possible but hard.
A friend of mine set up a website with a website builder. I offered to help and ended up redesigning the site. What I wrote is obviously incompatible with the site builder's templates he used, but he would rather stick with the site builder which allows him to make the changes he needs to make.
What I'm currently thinking is to have both sites set up simultaneously and let him choose which one is visited by the user. That way we can use the new site and then when he makes a change, switch back to the old site until I have a chance to change the new version. This would be confusing for any regular users of the site who happened to visit it in the time that the old site was changed, but the site is very small with very few visitors, and any changes made would be easy to duplicate.
I don't, however, know how to do this. My first thought was to have two public_html directories with a script that would rename them as needed, but I don't know how I would go about changing the name of a folder that a script is running from. I also don't think I would be able to move the old site over to a host I control; the site builder doesn't give the ftp details and it takes care of all the dirty work for its users. At most, I think I could transfer the domain name to a different registrar, set up the nameservers with the host of the new site, and go from there, but then the old site wouldn't be editable from the site builder...
My second thought would be to do something like this in php:
if(...){
echo file_get_contents(oldsite . $_SERVER['REQUEST_URI']);
}
else{
...
}
If anyone's made it this far, here are the key points of what I want to achieve:
Old site is able to be changed with the site builder (vistaprint)
Script to choose which website the user visits
Urls never change
Assume the only control we have over the old site is a simple WYSIWYG editor from the site builder and the ability to change the domain as well as release the domain (for $20, the crooks). Nothing to do with nameservers, ftp, file managers, etc.
Current plan of action: Transfer the domain (lets assume it's http://example.com) to a register and webhost I control. Set up an add-on domain (http://old.example.com) and register the web builder with the addon domain. I'll then have each page set up the way I showed in the second plan:
if(...){
echo file_get_contents('http://old.example.com' . $_SERVER['REQUEST_URI']);
}
else{
...
}
I'm a bit reluctant to do this for a number of reasons, so I was hoping someone could enlighten me on a better method.
You're overthinking this. Just redirect (HTTP status 3xx) to your old site when necessary.
I'm in a development environment and we're using basic .htaccess/.htpasswd authentication to keep lurkers out. But some of my AJAX calls are coming back with HTTP/401 authentication failed errors. Is it possible for me to allow access only to those specific URL's? I can't easily do it by popping a new .htaccess in a subfolder because CodeIgniter uses ReWrites.
It's not possible to allow access only to those specific URL's. Unfortunately, .htaccess and .htpasswd authentication operates on a directory level only. And you're exactly right about why just using a subdirectory won't work - b/c of CI rewrites, which happen AFTER Apache has transferred control to CodeIgniter's index.php front controller.
The easy option, if you're working on something that (1) is not likely to be hacked in the first place, and (2) can't reveal sensitive data even if it is, is to use security via obscurity. Don't have any links to your dev site, include a noindex directive for search engine crawlers, and go on your merry way. This also has the advantage that you can test versions of the site with your colleagues and friends by just telling them the URL to go to.
If you're more worried about security, then you're probably building an auth module for your website's users. In that case, for your dev environment, just call that auth module in the constructor for all of your controllers, and redirect to the login page if the user is not logged in.
Good luck!