logs and tmp folders outside root
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Explorer
- Posts: 256
- Joined: Thu Jul 05, 2007 10:41 am
.htaccess help
Help please, never used .htaccess before, using it for 1.7.3
Can I just append code to the end like this? at bottom...
thanks
##
# @version $Id: htaccess.txt 21101 2011-04-07 15:47:33Z dextercowley $
# @package Joomla
# @copyright Copyright (C) 2005 - 2011 Open Source Matters. All rights reserved.
# @license GNU General Public License version 2 or later; see LICENSE.txt
##
##
# READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE!
#
# The line just below this section: 'Options +FollowSymLinks' may cause problems
# with some server configurations. It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file. If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's. If they work,
# it has been set by your server administrator and you do not need it set here.
##
## Can be commented out if causes errors, see notes above.
Options +FollowSymLinks
## Mod_rewrite in use.
RewriteEngine On
## Begin - Rewrite rules to block out some common exploits.
# If you experience problems on your site block out the operations listed below
# This attempts to block the most common type of exploit `attempts` to Joomla!
#
# Block out any script trying to base64_encode data within the URL.
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
# Block out any script that includes a <script> tag in URL.
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL.
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL.
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F]
#
## End - Rewrite rules to block out some common exploits.
## Begin - Custom redirects
#
# If you need to redirect some pages, or set a canonical non-www to
# www redirect (or vice versa), place that code here. Ensure those
# redirects use the correct RewriteRule syntax and the [R=301,L] flags.
#
## End - Custom redirects
##
# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root).
##
# RewriteBase /
## Begin - Joomla! core SEF Section.
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
#
# If the requested path and file is not /index.php and the request
# has not already been internally rewritten to the index.php script
RewriteCond %{REQUEST_URI} !^/index\.php
# and the request is for something within the component folder,
# or for the site root, or for an extensionless URL, or the
# requested URL ends with one of the listed extensions
RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC]
# and the requested path and file doesn't directly match a physical file
RewriteCond %{REQUEST_FILENAME} !-f
# and the requested path and file doesn't directly match a physical folder
RewriteCond %{REQUEST_FILENAME} !-d
# internally rewrite the request to the index.php script
RewriteRule .* index.php [L]
#
## End - Joomla! core SEF Section.
<FilesMatch "configuration.php">
Order allow,deny
Deny from all
</FilesMatch>
Can I just append code to the end like this? at bottom...
thanks
##
# @version $Id: htaccess.txt 21101 2011-04-07 15:47:33Z dextercowley $
# @package Joomla
# @copyright Copyright (C) 2005 - 2011 Open Source Matters. All rights reserved.
# @license GNU General Public License version 2 or later; see LICENSE.txt
##
##
# READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE!
#
# The line just below this section: 'Options +FollowSymLinks' may cause problems
# with some server configurations. It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file. If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's. If they work,
# it has been set by your server administrator and you do not need it set here.
##
## Can be commented out if causes errors, see notes above.
Options +FollowSymLinks
## Mod_rewrite in use.
RewriteEngine On
## Begin - Rewrite rules to block out some common exploits.
# If you experience problems on your site block out the operations listed below
# This attempts to block the most common type of exploit `attempts` to Joomla!
#
# Block out any script trying to base64_encode data within the URL.
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
# Block out any script that includes a <script> tag in URL.
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL.
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL.
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F]
#
## End - Rewrite rules to block out some common exploits.
## Begin - Custom redirects
#
# If you need to redirect some pages, or set a canonical non-www to
# www redirect (or vice versa), place that code here. Ensure those
# redirects use the correct RewriteRule syntax and the [R=301,L] flags.
#
## End - Custom redirects
##
# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root).
##
# RewriteBase /
## Begin - Joomla! core SEF Section.
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
#
# If the requested path and file is not /index.php and the request
# has not already been internally rewritten to the index.php script
RewriteCond %{REQUEST_URI} !^/index\.php
# and the request is for something within the component folder,
# or for the site root, or for an extensionless URL, or the
# requested URL ends with one of the listed extensions
RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC]
# and the requested path and file doesn't directly match a physical file
RewriteCond %{REQUEST_FILENAME} !-f
# and the requested path and file doesn't directly match a physical folder
RewriteCond %{REQUEST_FILENAME} !-d
# internally rewrite the request to the index.php script
RewriteRule .* index.php [L]
#
## End - Joomla! core SEF Section.
<FilesMatch "configuration.php">
Order allow,deny
Deny from all
</FilesMatch>
- imanickam
- Joomla! Master
- Posts: 28206
- Joined: Wed Aug 13, 2008 2:57 am
- Location: Chennai, India
Re: .htaccess help
Yes, you may...
It looks like you would like to secure your site. You could review the checklist at http://docs.joomla.org/Category:Security_Checklist.
It looks like you would like to secure your site. You could review the checklist at http://docs.joomla.org/Category:Security_Checklist.
Ilagnayeru (MIG) Manickam | இளஞாயிறு மாணிக்கம்
Joomla! - Global Moderators Team | Joomla! Core - Tamil (தமிழ்) Translation Team Coordinator
Former Joomla! Translations Coordination Team Lead
Eegan - Support the poor and underprivileged
Joomla! - Global Moderators Team | Joomla! Core - Tamil (தமிழ்) Translation Team Coordinator
Former Joomla! Translations Coordination Team Lead
Eegan - Support the poor and underprivileged
-
- Joomla! Explorer
- Posts: 256
- Joined: Thu Jul 05, 2007 10:41 am
Re: .htaccess help
Thanks
I've noticed just now though when I change the global config:
Use URL rewriting to yes, it changes back to no when I click save on yes?
also I changed the log and tmp paths to a folder outside the root which saved ok but if I remove the log and tmp folder from root even though I've copied them to the folder outside the root I get error when trying to write to configuration.php??
can you help please?
I've noticed just now though when I change the global config:
Use URL rewriting to yes, it changes back to no when I click save on yes?
also I changed the log and tmp paths to a folder outside the root which saved ok but if I remove the log and tmp folder from root even though I've copied them to the folder outside the root I get error when trying to write to configuration.php??
can you help please?
Last edited by mandville on Thu Dec 08, 2011 12:16 am, edited 1 time in total.
Reason: merged topic with existing topic.
Reason: merged topic with existing topic.
-
- Joomla! Explorer
- Posts: 256
- Joined: Thu Jul 05, 2007 10:41 am
logs and tmp folders outside root
Help please?
If I change the name to these folders in the global config to a folder outside the root, so instead of httpdocs/logs it would be newfolder/logs and change the configuration.php file to the same path this seems ok but I cant remove then or rename the original logs and tmp folders in the root even though I copied them across to the new folder outside the root, I get error writing to configuration.php. Am I missing something here?
Thanks
If I change the name to these folders in the global config to a folder outside the root, so instead of httpdocs/logs it would be newfolder/logs and change the configuration.php file to the same path this seems ok but I cant remove then or rename the original logs and tmp folders in the root even though I copied them across to the new folder outside the root, I get error writing to configuration.php. Am I missing something here?
Thanks
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: logs and tmp folders outside root
yes there are several issues hereszonkie wrote: Am I missing something here?
Thanks
*you probably dont have the correct permissions to write /rename these folders
*why do you want to move them
*several extensions have the path to the tmp folders etc hardcoded in them which will cause errors on your site
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Explorer
- Posts: 256
- Joined: Thu Jul 05, 2007 10:41 am
Re: logs and tmp folders outside root
I thought it was good to move the tmp and log folders out of the root? can I do anything else to secure these leaving them in the root?
I've already added this to the .htaccess file
<FilesMatch "configuration.php">
Order allow,deny
Deny from all
</FilesMatch>
Assuming the .htaccess file just takes affect when you rename it .htaccess?
I've already added this to the .htaccess file
<FilesMatch "configuration.php">
Order allow,deny
Deny from all
</FilesMatch>
Assuming the .htaccess file just takes affect when you rename it .htaccess?
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: logs and tmp folders outside root
should i just merge your heavily related topics to the same topic
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Explorer
- Posts: 256
- Joined: Thu Jul 05, 2007 10:41 am
Re: logs and tmp folders outside root
yes why not
- PhilD
- Joomla! Hero
- Posts: 2737
- Joined: Sat Oct 21, 2006 10:20 pm
- Location: Wisconsin USA
- Contact:
-
- Joomla! Explorer
- Posts: 256
- Joined: Thu Jul 05, 2007 10:41 am
Re: logs and tmp folders outside root
Can I use .htaccess to protect the administrator directory? what else can I protect using .htaccess?
Do I need to still move the configuration.php outside of the root if I have added this to the .htaccess:
<FilesMatch "configuration.php">
Order allow,deny
Deny from all
</FilesMatch>
Thanks
Do I need to still move the configuration.php outside of the root if I have added this to the .htaccess:
<FilesMatch "configuration.php">
Order allow,deny
Deny from all
</FilesMatch>
Thanks
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: logs and tmp folders outside root
you have no reason to move /tmp and /log out of root. Actually no need to move anything out of root. You do not gain anything by it nor does it gives you additional security
Leo
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- PhilD
- Joomla! Hero
- Posts: 2737
- Joined: Sat Oct 21, 2006 10:20 pm
- Location: Wisconsin USA
- Contact:
Re: logs and tmp folders outside root
You can password protect the administrator directory. recently there was a discussion on this so I will not re-post everything I said. View the link for more info:szonkie wrote: Can I use .htaccess to protect the administrator directory? what else can I protect using .htaccess?
Do I need to still move the configuration.php outside of the root if I have added this to the .htaccess:
<FilesMatch "configuration.php">
Order allow,deny
Deny from all
</FilesMatch>
Thanks
http://forum.joomla.org/viewtopic.php?p ... 7#p2667557
This link describes how to set up basic password protection on the administrator directory.
and a slightly more complicated version with no instruction for more advanced users or users with multiple admins.
http://forum.joomla.org/viewtopic.php?p ... 1#p2665851
Both of these allow access from one or a limited set of ip addresses without entering a user name and password for access to the admin directory.
Moving the config file outside of the public_html directory is not necessary and is of limited value. The instructions are posted in the docs because there are many people asking for this because it makes them feel better, not because it is safer. I don't think the htaccess addition will protect it because it is outside of the public_html directory. I.E above where the htaccess operates. The best site protection is making sure everything is kept up to date and you use a properly reputable host that cares about security.
Last edited by PhilD on Sat Dec 10, 2011 5:41 pm, edited 1 time in total.
Reason: stupid c/p
Reason: stupid c/p
PhilD
-
- Joomla! Explorer
- Posts: 256
- Joined: Thu Jul 05, 2007 10:41 am
Re: logs and tmp folders outside root
from the below yes I can set a password up in my domain control panel but funnily enough when I enter the logon details I setup it does not allow access to the administrator directory, the host doesn't know either so I had to remove it. Are you saying from the below that I can add the details into the .htaccess file and save the .htaccess file under the administrator directory to allow access that way?? dioes the file need to be called .htaccess if not how is the file authenticated is this the dot prefix that determines this??
If I add this to .htaccess or is this .htpasswd?, bit confused what file I use for what?:
Code:
AuthGroupFile /dev/null
AuthName "Admins Only!"
AuthType Basic
AuthUserFile /home/xxxxx/domains/mysite.com/.htpasswd/public_html/administrator/.htpasswd
require valid-user
Allow from xxx.xxx.xxx.xxx
Satisfy Any
To:
1. password protect the administrator directory and
2. to allow access from only a limited number of ip addresses
I would just setup the administrator directory to be password protected. You can do this from your domains control panel - password protect directories. (May be the only way on a shared server setup). This will add the proper .htaccess file to the administrator directory.
Then add the ip address that you access the administrator directory from.
The result is it gives you a single login prompt when logging in to the admin area and anyone else gets a double login prompt (once for the password protected directory and once for Joomla) as they don't match the ip address in the file. This is normally more than sufficient protection and also allows you to use different browsers or devices.
Note: The password protection of directories (such as the admin directory) will not prevent the most common methods of hacking and that is by exploiting an insecure 3rd party extension or outdated insecure Joomla install. You still have to keep everything up to date and secure.
Code:
AuthGroupFile /dev/null
AuthName "Admins Only!"
AuthType Basic
AuthUserFile /home/xxxxx/domains/mysite.com/.htpasswd/public_html/administrator/.htpasswd
require valid-user
Allow from xxx.xxx.xxx.xxx
Satisfy Any
If I add this to .htaccess or is this .htpasswd?, bit confused what file I use for what?:
Code:
AuthGroupFile /dev/null
AuthName "Admins Only!"
AuthType Basic
AuthUserFile /home/xxxxx/domains/mysite.com/.htpasswd/public_html/administrator/.htpasswd
require valid-user
Allow from xxx.xxx.xxx.xxx
Satisfy Any
To:
1. password protect the administrator directory and
2. to allow access from only a limited number of ip addresses
I would just setup the administrator directory to be password protected. You can do this from your domains control panel - password protect directories. (May be the only way on a shared server setup). This will add the proper .htaccess file to the administrator directory.
Then add the ip address that you access the administrator directory from.
The result is it gives you a single login prompt when logging in to the admin area and anyone else gets a double login prompt (once for the password protected directory and once for Joomla) as they don't match the ip address in the file. This is normally more than sufficient protection and also allows you to use different browsers or devices.
Note: The password protection of directories (such as the admin directory) will not prevent the most common methods of hacking and that is by exploiting an insecure 3rd party extension or outdated insecure Joomla install. You still have to keep everything up to date and secure.
Code:
AuthGroupFile /dev/null
AuthName "Admins Only!"
AuthType Basic
AuthUserFile /home/xxxxx/domains/mysite.com/.htpasswd/public_html/administrator/.htpasswd
require valid-user
Allow from xxx.xxx.xxx.xxx
Satisfy Any
- PhilD
- Joomla! Hero
- Posts: 2737
- Joined: Sat Oct 21, 2006 10:20 pm
- Location: Wisconsin USA
- Contact:
Re: logs and tmp folders outside root
First you create the password protection on the administrator directory from your domains control panel. This creates the htaccess file within the administrator directory.
Then test it to make sure it operates properly.
Then if desired edit the htaccess file that was created within the administrator directory.
adding:
Allow from xxx.xxx.xxx.xxx
Satisfy Any
where xxx.xxx.xxx.xxx is your ip address of your home computer
If your host does not know how to assist with this simple edit to the htaccess file within the administrator directory, and can not make basic password protection on a directory 'work' then find another host.
Then test it to make sure it operates properly.
Then if desired edit the htaccess file that was created within the administrator directory.
adding:
Allow from xxx.xxx.xxx.xxx
Satisfy Any
where xxx.xxx.xxx.xxx is your ip address of your home computer
If your host does not know how to assist with this simple edit to the htaccess file within the administrator directory, and can not make basic password protection on a directory 'work' then find another host.
PhilD
-
- Joomla! Enthusiast
- Posts: 119
- Joined: Sun Apr 13, 2008 8:40 pm
Re: logs and tmp folders outside root
I'm setting up RSFirewall and they require the joomla tmp folder to be moved outside of public_html
Current excerpt from their troubleshooting guide (12/18/2015):
"A very well-known security practice is to set up this folder outside public HTML, in order to restrict access to it on the web. RSFirewall!'s System Check feature verifies the folder's path and notifies you whether it is set up in a safe manner or not."
I see these threads are old, has something changed? Is it now advisable to move the tmp directory?
Please clarify,
thank you
Current excerpt from their troubleshooting guide (12/18/2015):
"A very well-known security practice is to set up this folder outside public HTML, in order to restrict access to it on the web. RSFirewall!'s System Check feature verifies the folder's path and notifies you whether it is set up in a safe manner or not."
I see these threads are old, has something changed? Is it now advisable to move the tmp directory?
Please clarify,
thank you
- Bernard T
- Joomla! Guru
- Posts: 782
- Joined: Thu Jun 29, 2006 11:44 am
- Location: Hrvatska
- Contact:
Re: logs and tmp folders outside root
If the path change won't brake your website's functionality, for the reasons explained above, it's up to you to decide if you want to move it around.joknight wrote: I see these threads are old, has something changed? Is it now advisable to move the tmp directory
If you get some errors try to solve them, in most cases it will be either extensions with hardcoded tmp folder path, PHP open_basedir restriction, or similar.
Consult your hosting provider's or RS Firewall's support for any further help.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: logs and tmp folders outside root
if you see this topic, https://www.rsjoomla.com/forum/45-rsfir ... chtml.html you can see the issues and workarounds that need to be done for this practice
https://www.rsjoomla.com/support/docume ... -html.html
https://www.rsjoomla.com/support/docume ... -html.html
of course direct file changes can be undone when an upgrade occoursHowever, note that this isn't a simple copy and paste operation, certain modifications have to be made.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- Bernard T
- Joomla! Guru
- Posts: 782
- Joined: Thu Jun 29, 2006 11:44 am
- Location: Hrvatska
- Contact:
Re: logs and tmp folders outside root
Those instructions are bad, since "defines.php" files shouldn't and don't need to be hacked directly. One should create the copies of the files and place them in a directory above the respective includes/ dir - in the Joomla webroot and administration/ folders respectively. This will prevent them to be overwritten by a future upgrade.mandville wrote:if you see this topic, https://www.rsjoomla.com/forum/45-rsfir ... chtml.html you can see the issues and workarounds that need to be done for this practice
https://www.rsjoomla.com/support/docume ... -html.htmlof course direct file changes can be undone when an upgrade occoursHowever, note that this isn't a simple copy and paste operation, certain modifications have to be made.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak