logs and tmp folders outside root

[szonkie]

Help please, never used .htaccess before, using it for 1.7.3

Can I just append code to the end like this? at bottom...
thanks


##
# @version $Id: htaccess.txt 21101 2011-04-07 15:47:33Z dextercowley $
# @package Joomla
# @copyright Copyright (C) 2005 - 2011 Open Source Matters. All rights reserved.
# @license GNU General Public License version 2 or later; see LICENSE.txt
##

##
# READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE!
#
# The line just below this section: 'Options +FollowSymLinks' may cause problems
# with some server configurations. It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file. If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's. If they work,
# it has been set by your server administrator and you do not need it set here.
##

## Can be commented out if causes errors, see notes above.
Options +FollowSymLinks

## Mod_rewrite in use.

RewriteEngine On

## Begin - Rewrite rules to block out some common exploits.
# If you experience problems on your site block out the operations listed below
# This attempts to block the most common type of exploit `attempts` to Joomla!
#
# Block out any script trying to base64_encode data within the URL.
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
# Block out any script that includes a <script> tag in URL.
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL.
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL.
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F]
#
## End - Rewrite rules to block out some common exploits.

## Begin - Custom redirects
#
# If you need to redirect some pages, or set a canonical non-www to
# www redirect (or vice versa), place that code here. Ensure those
# redirects use the correct RewriteRule syntax and the [R=301,L] flags.
#
## End - Custom redirects

##
# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root).
##

# RewriteBase /

## Begin - Joomla! core SEF Section.
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
#
# If the requested path and file is not /index.php and the request
# has not already been internally rewritten to the index.php script
RewriteCond %{REQUEST_URI} !^/index\.php
# and the request is for something within the component folder,
# or for the site root, or for an extensionless URL, or the
# requested URL ends with one of the listed extensions
RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC]
# and the requested path and file doesn't directly match a physical file
RewriteCond %{REQUEST_FILENAME} !-f
# and the requested path and file doesn't directly match a physical folder
RewriteCond %{REQUEST_FILENAME} !-d
# internally rewrite the request to the index.php script
RewriteRule .* index.php [L]
#
## End - Joomla! core SEF Section.

<FilesMatch "configuration.php">
Order allow,deny
Deny from all
</FilesMatch>

[imanickam]

Yes, you may...

It looks like you would like to secure your site. You could review the checklist at http://docs.joomla.org/Category:Security_Checklist.

[szonkie]

Thanks

I've noticed just now though when I change the global config:
Use URL rewriting to yes, it changes back to no when I click save on yes?

also I changed the log and tmp paths to a folder outside the root which saved ok but if I remove the log and tmp folder from root even though I've copied them to the folder outside the root I get error when trying to write to configuration.php??

can you help please?

[szonkie]

Help please?

If I change the name to these folders in the global config to a folder outside the root, so instead of httpdocs/logs it would be newfolder/logs and change the configuration.php file to the same path this seems ok but I cant remove then or rename the original logs and tmp folders in the root even though I copied them across to the new folder outside the root, I get error writing to configuration.php. Am I missing something here?
Thanks

[mandville]

Am I missing something here?
Thanks

yes there are several issues here
*you probably dont have the correct permissions to write /rename these folders
*why do you want to move them
*several extensions have the path to the tmp folders etc hardcoded in them which will cause errors on your site

[szonkie]

I thought it was good to move the tmp and log folders out of the root? can I do anything else to secure these leaving them in the root?

I've already added this to the .htaccess file
<FilesMatch "configuration.php">
Order allow,deny
Deny from all
</FilesMatch>

Assuming the .htaccess file just takes affect when you rename it .htaccess?

[mandville]

should i just merge your heavily related topics to the same topic

[szonkie]

yes why not

[PhilD]

Topics merged

[szonkie]

Can I use .htaccess to protect the administrator directory? what else can I protect using .htaccess?

Do I need to still move the configuration.php outside of the root if I have added this to the .htaccess:
<FilesMatch "configuration.php">
Order allow,deny
Deny from all
</FilesMatch>

Thanks

[leolam]

you have no reason to move /tmp and /log out of root. Actually no need to move anything out of root. You do not gain anything by it nor does it gives you additional security

Leo

[PhilD]

Can I use .htaccess to protect the administrator directory? what else can I protect using .htaccess?

Do I need to still move the configuration.php outside of the root if I have added this to the .htaccess:
<FilesMatch "configuration.php">
Order allow,deny
Deny from all
</FilesMatch>

Thanks

You can password protect the administrator directory. recently there was a discussion on this so I will not re-post everything I said. View the link for more info:
http://forum.joomla.org/viewtopic.php?p ... 7#p2667557
This link describes how to set up basic password protection on the administrator directory.
and a slightly more complicated version with no instruction for more advanced users or users with multiple admins.
http://forum.joomla.org/viewtopic.php?p ... 1#p2665851
Both of these allow access from one or a limited set of ip addresses without entering a user name and password for access to the admin directory.

Moving the config file outside of the public_html directory is not necessary and is of limited value. The instructions are posted in the docs because there are many people asking for this because it makes them feel better, not because it is safer. I don't think the htaccess addition will protect it because it is outside of the public_html directory. I.E above where the htaccess operates. The best site protection is making sure everything is kept up to date and you use a properly reputable host that cares about security.

[szonkie]

from the below yes I can set a password up in my domain control panel but funnily enough when I enter the logon details I setup it does not allow access to the administrator directory, the host doesn't know either so I had to remove it. Are you saying from the below that I can add the details into the .htaccess file and save the .htaccess file under the administrator directory to allow access that way?? dioes the file need to be called .htaccess if not how is the file authenticated is this the dot prefix that determines this??

If I add this to .htaccess or is this .htpasswd?, bit confused what file I use for what?:
Code:
AuthGroupFile /dev/null
AuthName "Admins Only!"
AuthType Basic
AuthUserFile /home/xxxxx/domains/mysite.com/.htpasswd/public_html/administrator/.htpasswd
require valid-user
Allow from xxx.xxx.xxx.xxx
Satisfy Any


To:
1. password protect the administrator directory and
2. to allow access from only a limited number of ip addresses

I would just setup the administrator directory to be password protected. You can do this from your domains control panel - password protect directories. (May be the only way on a shared server setup). This will add the proper .htaccess file to the administrator directory.
Then add the ip address that you access the administrator directory from.
The result is it gives you a single login prompt when logging in to the admin area and anyone else gets a double login prompt (once for the password protected directory and once for Joomla) as they don't match the ip address in the file. This is normally more than sufficient protection and also allows you to use different browsers or devices.

Note: The password protection of directories (such as the admin directory) will not prevent the most common methods of hacking and that is by exploiting an insecure 3rd party extension or outdated insecure Joomla install. You still have to keep everything up to date and secure.


Code:
AuthGroupFile /dev/null
AuthName "Admins Only!"
AuthType Basic
AuthUserFile /home/xxxxx/domains/mysite.com/.htpasswd/public_html/administrator/.htpasswd
require valid-user
Allow from xxx.xxx.xxx.xxx
Satisfy Any

[PhilD]

First you create the password protection on the administrator directory from your domains control panel. This creates the htaccess file within the administrator directory.

Then test it to make sure it operates properly.

Then if desired edit the htaccess file that was created within the administrator directory.
adding:
Allow from xxx.xxx.xxx.xxx
Satisfy Any
where xxx.xxx.xxx.xxx is your ip address of your home computer

If your host does not know how to assist with this simple edit to the htaccess file within the administrator directory, and can not make basic password protection on a directory 'work' then find another host.

[joknight]

I'm setting up RSFirewall and they require the joomla tmp folder to be moved outside of public_html

Current excerpt from their troubleshooting guide (12/18/2015):

"A very well-known security practice is to set up this folder outside public HTML, in order to restrict access to it on the web. RSFirewall!'s System Check feature verifies the folder's path and notifies you whether it is set up in a safe manner or not."

I see these threads are old, has something changed? Is it now advisable to move the tmp directory?
Please clarify,
thank you

[Bernard T]

I see these threads are old, has something changed? Is it now advisable to move the tmp directory

If the path change won't brake your website's functionality, for the reasons explained above, it's up to you to decide if you want to move it around.
If you get some errors try to solve them, in most cases it will be either extensions with hardcoded tmp folder path, PHP open_basedir restriction, or similar.
Consult your hosting provider's or RS Firewall's support for any further help.

[mandville]

if you see this topic, https://www.rsjoomla.com/forum/45-rsfir ... chtml.html you can see the issues and workarounds that need to be done for this practice

https://www.rsjoomla.com/support/docume ... -html.html

However, note that this isn't a simple copy and paste operation, certain modifications have to be made.

of course direct file changes can be undone when an upgrade occours

[Bernard T]

if you see this topic, https://www.rsjoomla.com/forum/45-rsfir ... chtml.html you can see the issues and workarounds that need to be done for this practice
https://www.rsjoomla.com/support/docume ... -html.html

However, note that this isn't a simple copy and paste operation, certain modifications have to be made.

of course direct file changes can be undone when an upgrade occours

Those instructions are bad, since "defines.php" files shouldn't and don't need to be hacked directly. One should create the copies of the files and place them in a directory above the respective includes/ dir - in the Joomla webroot and administration/ folders respectively. This will prevent them to be overwritten by a future upgrade.