Security and optimization

Author Message

Franck T.

Thursday 26 January 2006 8:45:07 am

Hello,
I'm about to publish an intranet site on ez 3.5.4 (Apache2 + Php 4.3.10 / Windows Server 2003).
I've read this article about security settings for a virtual host setup (http://ez.no/doc/ez_publish/technical_manual/3_6/installation/virtual_host_setup) but what for a 'normal' ezpublish installation?
For example, what about the best <Directory> rules ? Any example will be helpfull.

Franck T.

Friday 27 January 2006 12:19:44 am

Here is how I set my httpd.conf:


#Global restrictive access on DocRoot:
<Directory C:/web/site>
       Order Deny,Allow
       Deny from All
</Directory>

# To let access my ezSite:
<Directory C:/web/site/ezSite>
	<Files index.php>
		Order allow,deny
		Allow from all
	</Files>
</Directory>

Problem: this works on my test machine but not on my server !!
On the server, it seems that the templates are not loaded. The welcome page appears with no layout (but no errors from ezDebug).
Any idea about what's wrong ?

Marc Boon

Friday 27 January 2006 1:50:09 am

<Directory C:/web/site/ezSite>
	<Files index.php>
		Order allow,deny
		Allow from all
	</Files>
</Directory>

This rule means that the only file that can be accessed from the C:/web/site/ezSite directory is the file index.php. Your stylesheets and images cannot be loaded by the browser.

See http://ez.no/doc/ez_publish/technical_manual/3_6/installation/virtual_host_setup for apache configuration examples

Franck T.

Friday 27 January 2006 3:13:05 am

Thanks Marc, but as said in my first post, the virtual host system doesnt fit my needs. I prefer a classic apache configuration.
Now my problem is: is it possible to let people browse correctly the site while protecting/hiding all my internal ressources (images, script files, ...) ? How to configure apache in this way, out of the virtual host mode ?

Marc Boon

Friday 27 January 2006 3:46:28 am

In that case, you can use the .htaccess_root file in the ez publish install directory. This file should be renamed .htaccess in order to be effective. Apache should be configured with AllowOverride in order to work with .htaccess files.
You could also put the directives from .htacess_root in a <Directory> section in Apache's httpd.conf.

Franck T.

Friday 27 January 2006 6:13:43 am

Hey Marc, you know what? I'm happy...
Thanks a lot, indeed.

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.