Securing my textpattern installation

gemal · 2007-02-16 11:26:23

What’s the best way to securing my textpattern installation?

Can I fx HTTP auth protect it? Can “normal” people then post comments etc

Can I remove the “update” directory?

hcgtv · 2007-02-16 14:13:45

Hi,

Ruud gave me an .htaccess file to place in your textpattern directory to keep out prying eyes:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{REQUEST_FILENAME} !textpattern(/setup)?/?$
 RewriteCond %{REQUEST_FILENAME} !textpattern/((setup/)?index|css)\.php$
 RewriteCond %{REQUEST_FILENAME} !textpattern/textpattern\.(css|js)$
 RewriteCond %{REQUEST_FILENAME} !textpattern/txp_img/.+\.(jpg|gif|png)$
 RewriteRule ^(.*) - [F]
</IfModule>

Normal people can post comments but I would turn on moderation.

Leave the update directory, it’s used when a new version comes out.

Last edited by hcgtv (2007-02-16 14:15:19)

Mary · 2007-02-17 08:19:05

Leave the update directory, it’s used when a new version comes out.

As long as you put it (and its contents) back (before logging in) when a new version comes out, it can be safely removed in the meantime.

Last edited by Mary (2007-02-17 08:19:21)

gemal · 2007-02-20 13:06:24

hcgtv wrote:

Hi, Leave the update directory, it’s used when a new version comes out.

Cant I just make the entire textpattern directory use http auth?

ruud · 2007-02-20 13:21:52

I’m curious… what would be the advantage of using HTTP auth over using the authentication mechanism built into TXP? Is it only to prevent people from exploiting vulnerabilities that are not yet known and that can be abused without having to log into TXP?

The textpattern directory also contains css.php which supplies the style sheet to the browser, so if you use HTTP auth, then you’d have to exclude css.php from authentication or use a static stylesheet file in a different location.

gemal · 2007-02-20 13:23:54

ruud wrote:

I’m curious… what would be the advantage of using HTTP auth over using the authentication mechanism built into TXP? Is it only to prevent people from exploiting vulnerabilities that are not yet known and that can be abused without having to log into TXP?

Yes. To prevent people of exploiting bugs etc.

The textpattern directory also contains css.php which supplies the style sheet to the browser, so if you use HTTP auth, then you’d have to exclude css.php from authentication or use a static stylesheet file in a different location.

I dont use the css.php so that wont be an issue :)

anoke · 2007-02-20 13:54:08

disclaimer: I don’t understand what I read and I’m fast at typing – I thought the topic was about securing the whole txp installation and not the textpattern/ directory. I’ll post the following anyway, it might still be usefull. Sorry for the inconvenience…

This is how I secured the whole site.

<Directory /*your txp's location*/>
        Options Indexes FollowSymLinks
        DirectoryIndex index.php
        AllowOverride None

        DirectoryIndex index.php index.html
        Options +FollowSymLinks
        RewriteBase /*from your conf*

        RewriteEngine On
        RewriteCond %{REQUEST_FILENAME} -f [OR]
        RewriteCond %{REQUEST_FILENAME} -d
        RewriteRule ^(.+) - [PT,L]

        RewriteRule ^(.*) index.php

# limitations
# One should end previous directory clause and 
# begin a new one for /textpattern/ directory here.
# css.php should be after this section.

        Order deny,allow
        Deny from all
        Allow from *friendly ips list*

        AuthUserFile /*from your conf*/.htpasswd
        AuthType Basic
        AuthName "'*your message*"
        Require valid-user

        Satisfy any

</Directory>

I haven’t tried this myself, but leaving the css.php outside the auth should work with adding the following after the </directory>..

<Files /path/to/css.php>
        Order allow,deny
        Allow from all
</Files>

Etc.. Remember not to put htpasswd file inside the txp directory. Server configuration might block viewing it but you can never be too sure IMHO. And if auth is new to some lurkers they might like reading Apache 2 docs, htaccess howto a or another howto.

gemal · 2007-03-01 12:29:39

anoke wrote:

disclaimer: I don’t understand what I read and I’m fast at typing – I thought the topic was about securing the whole txp installation and not the textpattern/ directory. I’ll post the following anyway, it might still be usefull. Sorry for the inconvenience…

I was actually just thinking about securing the /textpattern directory.
In Movable Type you cant htaccess protect the movable type directory since it’s used to posting comments and I just wanted to make sure that textpattern didn’t have the same limitation

Mary · 2007-03-01 19:27:17

It does – it loads up CSS if you use the Styles management. See anoke’s post.

gemal · 2007-03-01 19:58:52

Mary wrote:

It does – it loads up CSS if you use the Styles management. See anoke’s post.

Yes. I read that. I use plain CSS files outside of txp

Textpattern CMS

Textpattern CMS support forum

#1 2007-02-16 11:26:23

Securing my textpattern installation

#2 2007-02-16 14:13:45

Re: Securing my textpattern installation

#3 2007-02-17 08:19:05

Re: Securing my textpattern installation

#4 2007-02-20 13:06:24

Re: Securing my textpattern installation

#5 2007-02-20 13:21:52

Re: Securing my textpattern installation

#6 2007-02-20 13:23:54

Re: Securing my textpattern installation

#7 2007-02-20 13:54:08

Re: Securing my textpattern installation

#8 2007-03-01 12:29:39

Re: Securing my textpattern installation

#9 2007-03-01 19:27:17

Re: Securing my textpattern installation

#10 2007-03-01 19:58:52

Re: Securing my textpattern installation

Board footer