Drupal and security

Discussion in 'Server Operation' started by Hans, Jun 16, 2006.

  1. Hans

    Hans Moderator ISPConfig Developer

    I have Drupal Installed on my debian server.

    First i received an internal server error but after adding AllowOverride All in /etc/apache2/apache2.conf Drupal is up and running.
    I am not so happy with this option, cause now users can override the Apache configuration with .htaccess files.

    Is there any other, more recomended setting to avoid the internal server error, zo i can run Drupal?


    Here i show the modification within /etc/apache2/apache2.conf:

    <Directory /home/www/*/web>
    Options +Includes +FollowSymlinks -Indexes
    #===============HERE==============
    AllowOverride All
    #=================================
    Order allow,deny
    Allow from all

    <Files ~ "^\.ht">
    Deny from all
    </Files>
    </Directory>



    ---
    Hans
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    There are two solutions:

    1) check which apache directives are in the Drupal .htaccess file and the allow just these directives with allow override.

    2) Try to copy the content of the Drupal .htaccess file in the apache directives window of the website in ISPConfig and remove the .htaccess file.
     
  3. falko

    falko Super Moderator ISPConfig Developer

    I think the easiest way would be to leave the .htaccess file as it is and add this to the end of /etc/apache2/apache2.conf (or in the Apache Directives field of the Drupal web site):

    Code:
    <Directory /path/to/drupal/website>
    Options +Includes +FollowSymlinks -Indexes
    AllowOverride All
    Order allow,deny
    Allow from all
    <Files ~ "^\.ht">
    Deny from all
    </Files>
    </Directory>
    and revert your previous changes. Then only the Drupal web site would have AllowOverride All.
     
  4. brainz

    brainz Member

    Hi All,

    I know the 2 best guys have responded to this thread and i would hate to step on anyones feet but i felt that i had to submit to this thread...

    I dont know but Falko and till might correct me with this suggestion and i dont know maybe this suggest im going to make is a bit simple and prehaps not the best either but it works....

    The suggestion is with .htaccess file just rename it to htaccess.txt in the root directory. It works but maybe this is not the way to do it....

    hope this helps

    regards
    brainz :rolleyes::cool:
     
  5. Hans

    Hans Moderator ISPConfig Developer

    Another option

    Thanks Brainz for your reply, any suggestion is welcome.
    I wonder what Falko or Till have to say about your option...

    I have noticed that Falko's and Till's suggestion did not work for me.
    So i started to search this great forum again and i found another suggestion by Falko:

    Replace the .htaccess file provided by Drupal with a .htaccess file with this contents:

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ /index.php?q=$1 [L,QSA]
    </IfModule>

    This works for me without the need to enable AllowOverride All within the file /etc/apache2/apache2.conf

    I hope this option is save enough, because i do not understand completely what this script does.


    ---
    Hans
     
    Last edited: Jun 17, 2006
  6. brainz

    brainz Member

    Ahhh Just a quick one.... Tried Falkos Solution as well and it worked for me too.... Excellent...

    Regards
    brainz ;):cool:
     
  7. falko

    falko Super Moderator ISPConfig Developer

    I wouldn't do that because then you also have to change the Apache configuration to prevent that anyone can download your htaccess.txt files.
     
  8. falko

    falko Super Moderator ISPConfig Developer

    It's safe, I'm using it myself. :)
     

Share This Page