I have few Joomla installs (as demos) and others live support, flash gallery and other apps in folders out of my main site (with AdminPro) how should I protect those?
#12055 Protecting other Joomla site on domain (used as demos)?
Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket
Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Environment Information
Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a
Latest post by on Sunday, 03 June 2012 18:00 CDT
Saturday, 21 April 2012 15:07 CDT
Chacapamac
Saturday, 21 April 2012 16:58 CDT
nicholas
Akeeba Staff
Manager
It's exactly what is discussed in the troubleshooter, I guess. Quick rundown of the process:
- In the main site's .htaccess Maker, add the directory names of the other sites into the "Allow direct access, including .php files, to these directories" area of .htaccess Maker, then click on Save and Create .htaccess.
- Install and configure Admin Tools on each and every of the other sites.
Please note that if some of those "children sites" are not running Joomla!, you can not protect them with Admin Tools. Admin Tools was designed to protect Joomla! sites and Joomla! sites only. It won't work on anything else.
- In the main site's .htaccess Maker, add the directory names of the other sites into the "Allow direct access, including .php files, to these directories" area of .htaccess Maker, then click on Save and Create .htaccess.
- Install and configure Admin Tools on each and every of the other sites.
Please note that if some of those "children sites" are not running Joomla!, you can not protect them with Admin Tools. Admin Tools was designed to protect Joomla! sites and Joomla! sites only. It won't work on anything else.
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Monday, 23 April 2012 06:07 CDT
Chacapamac
Thanks for your time Nick.
Really appreciated
My main site (in this case) is in a subfolder other joomla/non-joomla are in the public_html at the same level of the main site.
β What I probably do...
1- Cleanup all non use apps/site or whatever other unused stuff
2β install admin on all joomla sites
3 β Look at the htaccess created by admin and add the most important htaccess rule to the main htaccess in the root public_html.
Now I have to find exactly what are the most important rules...
Good day Akeeba!
Really appreciated
My main site (in this case) is in a subfolder other joomla/non-joomla are in the public_html at the same level of the main site.
β What I probably do...
1- Cleanup all non use apps/site or whatever other unused stuff
2β install admin on all joomla sites
3 β Look at the htaccess created by admin and add the most important htaccess rule to the main htaccess in the root public_html.
Now I have to find exactly what are the most important rules...
Good day Akeeba!
Monday, 23 April 2012 06:30 CDT
nicholas
Akeeba Staff
Manager
If you want to go with manual .htaccess files, search for "Master .htaccess Joomla," on Google. You will find the annotated version of my Master .htaccess which is used by Amin Tools' .htaccess Maker. It's much easier to figure out what I'm doing when you read the comments ;)
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Monday, 23 April 2012 08:17 CDT
Chacapamac
Thanks !
For other that are interested...
Joomla discussion on that file:
Joomla.org Discussion Forum about this htaccess...
Link to that file:
Your text to link here...
Monday, 23 April 2012 08:58 CDT
Chacapamac
Just a remark about the optimization part (Expiration controls and Etag)
I just look at the admin pro generated htaccess and I donβt see the Expire Headers and Etag showing in the suggested file...
The Etag in the suggested file are on the top part of the htaccess file (I guess they should be there...) and they are different than what I normally see
What I normally see:
My questions β>
β’ What is the right Etag settings between the two and should I insert it at the top or bottom spot in the htacces in the Custom .htaccess rules?
β’about the Expire Headesrs should I add someting like the example to the AdminPro generated in the Bottom Part in the Custom .htaccess rules?
I just look at the admin pro generated htaccess and I donβt see the Expire Headers and Etag showing in the suggested file...
The Etag in the suggested file are on the top part of the htaccess file (I guess they should be there...) and they are different than what I normally see
FileETag MTime Size
What I normally see:
Header unset Etag FileETag none
My questions β>
β’ What is the right Etag settings between the two and should I insert it at the top or bottom spot in the htacces in the Custom .htaccess rules?
β’about the Expire Headesrs should I add someting like the example to the AdminPro generated in the Bottom Part in the Custom .htaccess rules?
Monday, 23 April 2012 12:22 CDT
nicholas
Akeeba Staff
Manager
You have the wrong file. The version in the Joomla! wiki is VERY OLD and buggy. My Master .htaccess is here: http://akeeba.assembla.com/code/master-htaccess/git/nodes/htaccess.txt
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Monday, 23 April 2012 18:46 CDT
Chacapamac
Cool - Thanks a lot.
I think Admintools do not place these in the htaccess??
Looking at your htaccess master... I should place it not at the bottom but at the top ?
IN β> Custom .htaccess rules at the top of the filein the Htaccess Maker
Other parts that are not inserted by the [b]Htaccess Maker ?[/b]
I think Admintools do not place these in the htaccess??
########## Begin - ETag Optimization
## This rule will create an ETag for files based only on the modification
## timestamp and their size. This works wonders if you are using rsync'ed
## servers, where the inode number of identical files differs.
## Note: It may cause problems on your server and you may need to remove it
FileETag MTime Size
########## End - ETag Optimization
########## Begin - Optimal default expiration time
## Note: this might cause problems and you might have to comment it out by
## placing a hash in front of this section's lines
## Note: Some people prefer using "now plus 1 month" instead of "now plus 1 year".
## Suit to taste.
<IfModule mod_expires.c>
# Enable expiration control
ExpiresActive On
# Default expiration: 1 hour after request
ExpiresDefault "now plus 1 hour"
# CSS and JS expiration: 1 week after request
ExpiresByType text/css "now plus 1 week"
ExpiresByType application/javascript "now plus 1 week"
ExpiresByType application/x-javascript "now plus 1 week"
# Image files expiration: 1 month after request
ExpiresByType image/bmp "now plus 1 month"
ExpiresByType image/gif "now plus 1 month"
ExpiresByType image/jpeg "now plus 1 month"
ExpiresByType image/jp2 "now plus 1 month"
ExpiresByType image/pipeg "now plus 1 month"
ExpiresByType image/png "now plus 1 month"
ExpiresByType image/svg+xml "now plus 1 month"
ExpiresByType image/tiff "now plus 1 month"
ExpiresByType image/vnd.microsoft.icon "now plus 1 month"
ExpiresByType image/x-icon "now plus 1 month"
ExpiresByType image/ico "now plus 1 month"
ExpiresByType image/icon "now plus 1 month"
ExpiresByType text/ico "now plus 1 month"
ExpiresByType application/ico "now plus 1 month"
ExpiresByType image/vnd.wap.wbmp "now plus 1 month"
ExpiresByType application/vnd.wap.wbxml "now plus 1 month"
ExpiresByType application/smil "now plus 1 month"
# Audio files expiration: 1 month after request
ExpiresByType audio/basic "now plus 1 month"
ExpiresByType audio/mid "now plus 1 month"
ExpiresByType audio/midi "now plus 1 month"
ExpiresByType audio/mpeg "now plus 1 month"
ExpiresByType audio/x-aiff "now plus 1 month"
ExpiresByType audio/x-mpegurl "now plus 1 month"
ExpiresByType audio/x-pn-realaudio "now plus 1 month"
ExpiresByType audio/x-wav "now plus 1 month"
# Movie files expiration: 1 month after request
ExpiresByType application/x-shockwave-flash "now plus 1 month"
ExpiresByType x-world/x-vrml "now plus 1 month"
ExpiresByType video/x-msvideo "now plus 1 month"
ExpiresByType video/mpeg "now plus 1 month"
ExpiresByType video/mp4 "now plus 1 month"
ExpiresByType video/quicktime "now plus 1 month"
ExpiresByType video/x-la-asf "now plus 1 month"
ExpiresByType video/x-ms-asf "now plus 1 month"
</IfModule>
########## End - Optimal expiration time
Looking at your htaccess master... I should place it not at the bottom but at the top ?
IN β> Custom .htaccess rules at the top of the filein the Htaccess Maker
Other parts that are not inserted by the [b]Htaccess Maker ?[/b]
Tuesday, 24 April 2012 03:20 CDT
nicholas
Akeeba Staff
Manager
You realise that .htaccess Maker has some configuration options, right? In order for that block of code to end up in the .htaccess you just need to enable the "Set default expiration time to 1 hour" option.
Remember that .htaccess Maker is merely a graphical user's interface to easily creating a .htaccess based on my Master .htaccess. You do not need to copy anything manually. You just have to read the manual and choose the options you need for your site :)
Remember that .htaccess Maker is merely a graphical user's interface to easily creating a .htaccess based on my Master .htaccess. You do not need to copy anything manually. You just have to read the manual and choose the options you need for your site :)
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Tuesday, 24 April 2012 08:41 CDT
Chacapamac
Understood Chief!
Thanks
Thanks
Friday, 04 May 2012 07:43 CDT
Chacapamac
I look at your file at Your text to link here...
Thanks for this...
You donβt have to answer this as it is not really an Akeeba problem.
Iβm trying to build an htacces for a joomla site in a subfolder (the main site), remark that other programs and demo joomla and non-joomla sites reside in other folders.
This is what I got so far
1β First My working 301 redirect to the subfolder
β> (Iβm still in discussion with experts if it is the best way, but it work... so far...)
Now I will add from your htaccess example what I think will help for security
Should I add between βRewriteEngine onβ and the first redirect the following code snippets (1-2) coming from your file (seem important for security) ?
And the following rule ...
And after end of all redirections
I dont know if these ones are necessary for Joomla in a subfolder (I have other Joomla site and programs in other folders in my publiv html)
OUT ?
########## Begin - Advanced server protection rules exceptions ####
β> ## Referrer filtering for common media files. Replace with your own domain.β> This one out?
β> ## Disallow visual fingerprinting of Joomla! sites (module position dump) β> This one out?
IN ?
β> ## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine β> This one seem important?
OUT ?
β> ## Back-end protection β> This one out?
β> ## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory β> This one out?
β> ## Disallow front-end access for certain Joomla! system directories β> This one out?
β> ## Allow limited access for certain Joomla! system directories with client-accessible content β> This one out?
IN ?
β> ## Disallow access to rogue PHP files throughout the site, unless they are explicitly allowed β> This one seem important?
β> ## Disallow access to htaccess.txt and configuration.php-dist β> This one seem important?
β> ## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @ β> This one seem important if you use SQli only?
β> ########## Begin - Basic antispam Filter, by SigSiu.net β> This one seem important?
Thanks for this...
You donβt have to answer this as it is not really an Akeeba problem.
Iβm trying to build an htacces for a joomla site in a subfolder (the main site), remark that other programs and demo joomla and non-joomla sites reside in other folders.
This is what I got so far
1β First My working 301 redirect to the subfolder
β> (Iβm still in discussion with experts if it is the best way, but it work... so far...)
# Copy and paste the following code into the .htaccess file
# in the public_html folder of your hosting account
# make the changes to the file according to the instructions.
# Replace MyDomain.com and /MySubfolder/ with the real names.
# Redirect to canonical hostname and rewrite to internal MySubfolder.
# Activate the rewrite engine
RewriteEngine on
# 1. Redirect non-canonical hostame requests to www.MyDomain.com
RewriteCond %{HTTP_HOST} !^(www\.MyDomain\.com)?$
RewriteRule (.*) http://www.MyDomain.com/$1 [R=301,L]
# 2. Rewrite root request to index file in MySubfolder
RewriteRule ^$ /MySubfolder/index.php [L]
#RewriteRule !. /MySubfolder/index.php [L]
# (pick one of the above two lines, they are equivalent)
# 3. Rewrite requests to MySubfolder
# If the request has not already been rewritten to /MySubfolder/
RewriteCond %{REQUEST_URI} !^/MySubfolder/
# and is not a request that is always handled by a file
RewriteCond %{REQUEST_URI} !(MySubfolder).\.(png|gif|jpe?g|css|js|zip|txt)$
# and does not actually exist as a file or folder
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# rewrite the request to be handled by the folder
RewriteRule (.*) /MySubfolder/$1 [L]
Now I will add from your htaccess example what I think will help for security
Should I add between βRewriteEngine onβ and the first redirect the following code snippets (1-2) coming from your file (seem important for security) ?
########## 1-Begin - No directory listings ## Note: +FollowSymlinks may cause problems and you might have to remove it IndexIgnore * Options +FollowSymLinks All -Indexes ########## End - No directory listings
And the following rule ...
########## Begin - Common hacking tools and bandwidth hoggers block
And after end of all redirections
########## Begin - Force HTTPS for certain pages
########## Begin - Rewrite rules to block out some common exploits
########## Begin - File injection protection, by SigSiu.net
I dont know if these ones are necessary for Joomla in a subfolder (I have other Joomla site and programs in other folders in my publiv html)
OUT ?
########## Begin - Advanced server protection rules exceptions ####
β> ## Referrer filtering for common media files. Replace with your own domain.β> This one out?
β> ## Disallow visual fingerprinting of Joomla! sites (module position dump) β> This one out?
IN ?
β> ## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine β> This one seem important?
OUT ?
β> ## Back-end protection β> This one out?
β> ## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory β> This one out?
β> ## Disallow front-end access for certain Joomla! system directories β> This one out?
β> ## Allow limited access for certain Joomla! system directories with client-accessible content β> This one out?
IN ?
β> ## Disallow access to rogue PHP files throughout the site, unless they are explicitly allowed β> This one seem important?
β> ## Disallow access to htaccess.txt and configuration.php-dist β> This one seem important?
β> ## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @ β> This one seem important if you use SQli only?
β> ########## Begin - Basic antispam Filter, by SigSiu.net β> This one seem important?
Friday, 04 May 2012 07:45 CDT
nicholas
Akeeba Staff
Manager
For a site in a subdirectory which is running Joomla! you have to include all of the sections. For a non-Joomla! site in a subdirectory you must remove the sections which you marked as "OUT" in your message above.
I hope that helps!
I hope that helps!
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Friday, 04 May 2012 09:13 CDT
Chacapamac
Thanks...
In fact, in my public_html I have both my main joomla site in a subfolder and other folders (at the same level that the main subfolder) with Joomla sites and other php programs and even html site.
Look like this:
public_html
.htaccess (main htaccess file with 301 redirect to βMain Site Folderβ
β’ Main site folder (with admin pro htaccess)
β’ Folder with demo joomla site (will update and install AdminPro on all)
β’ more Folders with applications and html sites
I guess I should use the non-joomla site protection in that case....
Really appreciate your input β Thanks Nicholas
In fact, in my public_html I have both my main joomla site in a subfolder and other folders (at the same level that the main subfolder) with Joomla sites and other php programs and even html site.
Look like this:
public_html
.htaccess (main htaccess file with 301 redirect to βMain Site Folderβ
β’ Main site folder (with admin pro htaccess)
β’ Folder with demo joomla site (will update and install AdminPro on all)
β’ more Folders with applications and html sites
I guess I should use the non-joomla site protection in that case....
Really appreciate your input β Thanks Nicholas
Friday, 04 May 2012 09:19 CDT
nicholas
Akeeba Staff
Manager
Yes, that's correct. You'll be trying to protect non-Joomla! sites :)
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Sunday, 03 June 2012 18:00 CDT
System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.