Jump to content
Froxlor Forum
  • 0

Global htpasswd for securing the froxlor root


Question

Hello,

 

Is it possible to generate a "global" .htpasswd with all froxlor customers to secure the directory where froxlor and other third-party apps like phpmyadmin, webftp or webmail are located. The idea is to get an additional security layer between outsiders and the system.

 

Thanks in advance!

Link to post
Share on other sites

6 answers to this question

Recommended Posts

  • 0

not from within the panel...but just add something like this to a manually created config file that you are able to include in apache.conf:

<Directory "/var/www/froxlor/">
  Options -Indexes
  AuthType Basic
  AuthName "Nothing here"
  AuthUserFile /etc/apache2/my-generated-user-passwd.htpasswd
  require valid-user
</Directory>
Link to post
Share on other sites
  • 0

Thanks you for your answer!

 

Of course I can create the files myself, but the problem is, that I have to distribute and control the passwords for that file. It would be great if the users actual password are stored in this file automatically and would be updated when the user changes his password. Then I could just use this file where I need it.

 

Is this worth a feature request?

Link to post
Share on other sites
  • 0

Well, given the information-leak yesterday, I'd vote for something additionally :)

 

Especially as phpMyAdmin and other additional apps do not provide features against brute-force-attacks, this would benefit all users and having to enter ones access-credentials twice would not do much harm anyways.

 

Authentication could be done using mysql (at least in apache) directly and I'd appreciate this additional layer of security.

 

Thank you in advance,

hk

Link to post
Share on other sites
  • 0

In an earlier post it was mentioned:

 

not from within the panel...but just add something like this to a manually created config file that you are able to include in apache.conf

 

I tried the following:

 

In the apache2.conf I added this:

 

IncludeOptional sites-enabled_froxlor/*.conf
 

In the newly created folder I added a file froxlor.conf with the following content:

 

<Directory "/var/www/froxlor/">
  Options -Indexes
  AuthType Basic
  AuthName "Restricted Area"
  AuthUserFile /etc/apache2/froxlor_htpasswd/froxlor.htpasswd
  require valid-user
</Directory>
 

The password file is stored in the /etc/apache2/froxlor_htpasswd/froxlor.htpasswd file.

 

However the Apache is not picking up the directions. It is reading the file froxlor.conf for sure. If for example the </Directory> is missing it gives an error message on restart.

 

My guess is, that it is ignored, because the file 10_froxlor_ipandport_xx.xxx.xxx.xx.xx.conf contains the <Virtual Host> including the <Director> options for the var/www/froxlor directory and

everything outside the Virtual Host is ignored.

 

Is there any possibility to get the Baisc Authentification working for the froxlor directory?

 

Thank you for any hint.

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Similar Content

    • By Pro-Webs
      Hallo,
      ich bin gerade dabei einen Shopware Shop v.5 unter nginx mit froxlor einzurichten.
      Das ist jedoch relativ problematisch.
      Aktuell habe ich im Froxlor folgende vHost Einstellung zur Domain:
      location @php { fastcgi_pass unix:/run/php/php7.2-fpm.sock; fastcgi_read_timeout 1500; } location ~ ^/(engine|files|templates|media/(archive|banner|image|music|pdf|unknown|video))/ { rewrite ^/files/documents/.* /engine last; location ~ \.(jpe?g|png|gif|css|js)$ { expires 1M; } } location / { index index.html index.php shopware.php; rewrite shopware.dll /shopware.php; rewrite files/documents/.* /engine last; #rewrite images/ayww/(.*) /images/banner/$1 last; rewrite backend/media/(.*) /media/$1 last; if (!-e $request_filename){ rewrite . /shopware.php last; } location ~ \.(jpe?g|png|gif|css|js)$ { rewrite backend/media/(.*) /media/$1 last; expires 1M; } } location ~ \.(tpl|yml|ini)$ { deny all; } location /install/ { location /install/assets { } if (!-e $request_filename){ rewrite . /install/index.php last; } } location /update/ { location /update/assets { } location /update/templates { } if (!-e $request_filename){ rewrite . /update/index.php last; } } location /recovery/install/ { location /recovery/install/assets { } if (!-e $request_filename){ rewrite . /recovery/install/index.php last; } } location /recovery/update/ { location /recovery/update/assets { } if (!-e $request_filename){ rewrite . /recovery/update/index.php last; } } location ~ ^/(logs|media/temp|bin|cache)/ { deny all; } location ~ \.php$ { try_files $uri =404; include /etc/nginx/fastcgi_params; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param HTTPS $fastcgi_https; fastcgi_param HTTP_AUTHORIZATION $http_authorization; } Diese Einstellung führt zu einem 500 error.
      Meine 35_froxlor_ssl_vhost_studio-ausruestung.de.conf sieht damit leider wie folgt aus:
      # 35_froxlor_ssl_vhost_studio-ausruestung.de.conf # Created 02.01.2020 14:30 # Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel. server { listen 91.250.82.51:443 ssl; server_name studio-ausruestung.de www.studio-ausruestung.de xn--studio-ausrstung-tzb.de *.xn--studio-ausrstung-tzb.de studioausruestung.de *.studioausruestung.de priolite-shop.com www.priolite-shop.com sirui-shop.de www.sirui-shop.de shooting-gutschein.de *.shooting-gutschein.de shooting-gutscheine.de *.shooting-gutscheine.de; ssl_protocols TLSv1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH; ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers on; ssl_certificate /etc/ssl/froxlor-custom/studio-ausruestung.de.crt; ssl_certificate_key /etc/ssl/froxlor-custom/studio-ausruestung.de.key; add_header Strict-Transport-Security "max-age=0"; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/ssl/froxlor-custom/studio-ausruestung.de.crt; include /etc/apache2/conf-enabled/acme.conf; access_log /var/customers/logs/klimek-studio-ausruestung.de-access.log combined; error_log /var/customers/logs/klimek-studio-ausruestung.de-error.log error; root /var/customers/webs/klimek/studio-ausruestung.de/shopware/; location / { index index.php index.html index.htm; try_files $uri $uri/ @rewrites; index index.html index.php shopware.php; rewrite shopware.dll /shopware.php; rewrite files/documents/.* /engine last; #rewrite images/ayww/(.*) /images/banner/$1 last; rewrite backend/media/(.*) /media/$1 last; if (!-e $request_filename){ rewrite . /shopware.php last; } location ~ \.(jpe?g|png|gif|css|js)$ { rewrite backend/media/(.*) /media/$1 last; expires 1M; } } location @rewrites { rewrite ^ /index.php last; } location /webalizer { alias /var/customers/webs/klimek/webalizer/studio-ausruestung.de/; auth_basic "Restricted Area"; auth_basic_user_file /etc/nginx/htpasswd/1-c3d3ffdab2b8342809d19524c21b98c1.htpasswd; } location ~ \.php { try_files /333c3697df6a41bcc37bccd05271f644.htm @php; } location @php { fastcgi_split_path_info ^(.+\.php)(/.+)$; include /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; try_files $fastcgi_script_name =404; fastcgi_index index.php; fastcgi_param HTTPS on; fastcgi_pass unix:/run/php/php7.2-fpm.sock; fastcgi_read_timeout 1500; } location ~ ^/(engine|files|templates|media/(archive|banner|image|music|pdf|unknown|video))/ { rewrite ^/files/documents/.* /engine last; location ~ \.(jpe?g|png|gif|css|js)$ { expires 1M; } } location ~ \.(tpl|yml|ini)$ { deny all; } location /install/ { location /install/assets { } if (!-e $request_filename){ rewrite . /install/index.php last; } } location /update/ { location /update/assets { } location /update/templates { } if (!-e $request_filename){ rewrite . /update/index.php last; } } location /recovery/install/ { location /recovery/install/assets { } if (!-e $request_filename){ rewrite . /recovery/install/index.php last; } } location /recovery/update/ { location /recovery/update/assets { } if (!-e $request_filename){ rewrite . /recovery/update/index.php last; } } location ~ ^/(logs|media/temp|bin|cache)/ { deny all; } } Man bemerkt u.a. das einige Konfigurationen doppelt vorhanden sind, da floxlor diese auch selbst generiert. Das könnte natürlich schon die Ursache des Fehler sein. Ich weiß nur leider nicht, wie ich es "besser" lösen kann.
      Die original .htaccess für den appache sieht folgende Konfiguration vor:
      php_value memory_limit 1024M php_value max_execution_time 600 php_value upload_max_filesize 20M php_value post_max_size 20M <IfModule mod_rewrite.c> RewriteEngine on #RewriteBase /shopware/ # Https config for the backend #RewriteCond %{HTTPS} !=on #RewriteRule backend/(.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] RewriteRule shopware.dll shopware.php RewriteRule files/documents/.* engine [NC,L] RewriteRule backend/media/(.*) media/$1 [NC,L] RewriteRule custom/.*(config|menu|services|plugin)\.xml$ ./shopware.php?controller=Error&action=pageNotFoundError [NC,L] RewriteCond %{REQUEST_URI} !(\/(engine|files|templates|themes|web)\/) RewriteCond %{REQUEST_URI} !(\/media\/(archive|banner|image|music|pdf|unknown|video)\/) RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ shopware.php [PT,L,QSA] # Fix missing authorization-header on fast_cgi installations RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L] </IfModule> <IfModule mod_alias.c> # Restrict access to VCS directories RedirectMatch 404 /\\.(svn|git|hg|bzr|cvs)(/|$) # Restrict access to root folder files RedirectMatch 404 /(autoload\.php|composer\.(json|lock|phar)|README\.md|UPGRADE-(.*)\.md|CONTRIBUTING\.md|eula.*\.txt|\.gitignore|.*\.dist|\.env.*)$ # Restrict access to shop configs files RedirectMatch 404 /(web\/cache\/(config_\d+\.json|all.less))$ # Restrict access to theme configurations RedirectMatch 404 /themes/(.*)(.*\.lock|package\.json|\.gitignore|Gruntfile\.js|all\.less|node_modules\/.*)$ </IfModule> # Staging environment #SetEnvIf Host "staging.test.shopware.in" SHOPWARE_ENV=staging # Development environment #SetEnvIf Host "dev.shopware.in" SHOPWARE_ENV=dev #SetEnv SHOPWARE_ENV dev DirectoryIndex index.html DirectoryIndex index.php DirectoryIndex shopware.php # Disables download of configuration <Files ~ "\.(tpl|yml|ini)$"> # Deny all requests from Apache 2.4+. <IfModule mod_authz_core.c> Require all denied </IfModule> # Deny all requests from Apache 2.0-2.2. <IfModule !mod_authz_core.c> Deny from all </IfModule> </Files> # Enable gzip compression <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/html text/xml text/plain text/css text/javascript application/javascript application/json application/font-woff application/font-woff2 image/svg+xml </IfModule> <Files ~ "\.(jpe?g|png|gif|css|js|woff|woff2|ttf|svg|webp|eot|ico)$"> <IfModule mod_expires.c> ExpiresActive on ExpiresDefault "access plus 1 month" </IfModule> <IfModule mod_headers.c> Header append Cache-Control "public" Header unset ETag </IfModule> FileETag None </Files> # Match generated files like: # 1429684458_t22_s1.css # 1429684458_t22_s1.js <FilesMatch "([0-9]{10})_(.+)\.(js|css)$"> <ifModule mod_headers.c> Header set Cache-Control "max-age=31536000, public" </ifModule> <IfModule mod_expires.c> ExpiresActive on ExpiresDefault "access plus 1 year" </IfModule> </FilesMatch> # Disables auto directory index <IfModule mod_autoindex.c> Options -Indexes </IfModule> <IfModule mod_negotiation.c> Options -MultiViews </IfModule> <IfModule mod_php5.c> # php_value memory_limit 256M # php_value max_execution_time 120 # php_value upload_max_filesize 20M php_flag phar.readonly off php_flag magic_quotes_gpc off php_flag session.auto_start off php_flag suhosin.session.cryptua off php_flag zend.ze1_compatibility_mode off php_value always_populate_raw_post_data -1 </IfModule> # AddType x-mapp-php5 .php # AddHandler x-mapp-php5 .php <IfModule mod_headers.c> Header append X-Frame-Options SAMEORIGIN </IfModule>  
      Für Ideen und Vorschläge wäre ich wie immer sehr dankbar
    • By Boruch Weisfish
      Hi all,
       
      I am new to Froxlor and so far enjoying it but unsure how to use it and have a few questions.
      I have pointed an A record from my domain provider to the server and am able to access the web panel using the domain but my FTP client (filezilla) can't find it. Does it have a mail server built in or do I have to configure that. Can I use it as a nameserver? What ports does it  need to function (so I can setup my firewall) Thanks in advance for all your help.
    • By nisamudeen97
      Hi,
      Our froxlor server is behiend NAT and it uses the local IP  192.168.73.40.  We have enabled letsencrypt module in froxlor and tried validating SSL for a domain in the server.  SSL generation is getting failed with 403 error.  See the debug log information.      Replaced domain name and main IP.    Can any one help me regarding the issue.
       
      [information] Updating Let's Encrypt certificates [information] Updating domain-name.com [information] Adding SAN entry: domain-name.com [information] Adding SAN entry: www.domain-name.com [information] letsencrypt-v2 Using 'https://acme-v02.api.letsencrypt.org' to generate certificate [information] letsencrypt-v2 Using existing account key [information] letsencrypt-v2 Starting certificate generation process for domains [information] letsencrypt-v2 Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-order [information] letsencrypt-v2 Requesting challenge for domain-name.com [information] letsencrypt-v2 Got challenge token for domain-name.com [information] letsencrypt-v2 Token for domain-name.com saved at /var/www/froxlor/.well-known/acme-challenge/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k and should be available at http://domain-name.com/.well-known/acme-challenge/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k [information] letsencrypt-v2 Sending request to challenge [information] letsencrypt-v2 Sending signed request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/803008408/k46kFQ [information] letsencrypt-v2 Verification pending, sleeping 1s [information] letsencrypt-v2 Verification pending, sleeping 1s [error] Could not get Let's Encrypt certificate for domain-name.com: Verification ended with error: {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"Invalid response from http:\/\/domain-name.com\/.well-known\/acme-challenge\/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k [212.224.xxx.xxx]: \"<!DOCTYPE html>\\n<html lang=\\\"en-CA\\\" class=\\\"html_stretched responsive av-preloader-active av-preloader-enabled av-default-lightbox\"","status":403},"url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/803008408\/k46kFQ","token":"vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k","validationRecord":[{"url":"http:\/\/www.domain-name.com\/.well-known\/acme-challenge\/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k","hostname":"www.domain-name.com","port":"80","addressesResolved":["212.224.xxx.xxx"],"addressUsed":"212.224.xxx.xxx"},{"url":"http:\/\/domain-name.com\/.well-known\/acme-challenge\/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k","hostname":"domain-name.com","port":"80","addressesResolved":["212.224.xxx.xxx"],"addressUsed":"212.224.xxx.xxx"}]} [information] Let's Encrypt certificates have been updated  
    • By Jason Szymanski
      Hallo,
       
      ich habe leider ein Problem mit Froxlor.
      Zu meiner Situation: Froxlor läuft auf der Subdomain web01.meinedomain.net
      Jetzt möchte ich die Domain aber auch noch weiter Nutzen und habe mich daher als Kunde angelegt und die Domain meineDomain.net als Domain hinzugefügt.
      Dort kann ich auch weitere Subdomains hinzufügen. Das scheint soweit auch zu klappen ich sehe das er VHosts anlegt und auch die Verzeichnisse im FTP anlegt.
      Wenn ich jetzt allerdings versuche auf meinedomain.net oder eine andere Subdomain unter dieser Domain zuzugreifen leitet er mich auf web01.meinedomain.net
      Ich habe mich schon in den Einstellungen umgeschaut konnte aber keine entsprechende Einstellung finden an der das liegen könnte.
      Wie verhindere ich also das er mich auf Froxlor umleitet?
       
      Mit Freundlichen Grüßen
      Jason Szymanski
    • By nisamudeen97
      Hi,
      Wile doing migration of email accounts from one froxlor server to another I have noting some thing.   Expecting some clarification on this.  As we all know emails are normally stored in the location "/var/customers/mail/user/domain.com/user/Maildir/" .   I create email accounts via froxlor panel and copy the email files directly via scp or rsync from old server to new.  The strange thing I have noticed is it is not coping custom folders and its emails like we have in source.  
      The solution I have found for this is to use imapsync between old and new.  imapsync is preserving custom folders like as it is in source.    Does it mean custom folder settings are stored somewhere else?  How we can preserve it and copy emails manually?
×
×
  • Create New...