Ravens PHP Scripts: Forums
 

 
  Forum Index  •  Forum FAQ  •  Search  •  Memberlist  •  Usergroups  •  Profile  •  Log in to check your private messages  •  Log in

Sentinel benefits on Windows 2k3 + IIS ???
 View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm)
Author Message
gman04
New Member
New Member



Joined: Dec 06, 2004
Posts: 7
PostPosted: Wed Dec 08, 2004 9:00 am Reply with quote
Just installed Sentinel - Nuke 7.5 patched, Win2k3 IIS NOT Apache. Everything seems to be working fine.

But been reading all this .htaccess stuff and httpauth, cgiauth, which I assume I cannot use since it's an IIS server...? (bear with me I'm a noob).

Am I benefitting from the Sentinel protection on my server now? Is there a similar setup to this .htaccess httpauth stuff for my Windows server?THANKS MUCH!
 
View user's profile Send private message
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088
PostPosted: Wed Dec 08, 2004 9:09 am Reply with quote
You are correct in your assumption about .htaccess and .staccess. However, you should be able to use HTTPAuth as that is a function of the browser (HTTP Protocol). In your NukeSentinel administration panel, can you set HTTPAuth to yes?
 
View user's profile Send private message
gman04
PostPosted: Wed Dec 08, 2004 9:18 am Reply with quote
Can't seem to ... I just set all the httpauth p/w's for the admins (told me I had to) ...

Now in the Admin Auth pulldown there is only an option for "Off" and "Admin cgiauth" ... although I believe I recall it showing "httpauth" a few minutes ago?
 
Raven
PostPosted: Wed Dec 08, 2004 9:19 am Reply with quote
Let us look into this because it should be allowing HTTPAuth.
 
gman04
PostPosted: Wed Dec 08, 2004 9:21 am Reply with quote
K ...

is HTTPAuth something I have to activate on the web server perhaps? i.e. enable it in IIS (again noob here bear with me) - thanks much for the help!
 
Raven
PostPosted: Wed Dec 08, 2004 9:30 am Reply with quote
You may have to enable it in IIS, I don't know the product and have never used it. But, it should still NOT be showing CGIAuth and it SHOULD be showing HTTPAuth option as Yes.
 
Raven
PostPosted: Wed Dec 08, 2004 9:36 am Reply with quote
Try this just for grins and giggles. Using phpMyAdmin, edit the nsnst_config table. Find the setting httpauth and put a 1 in there. Let's see if that pops up the gray box when you try to go into admin.php.
 
gman04
PostPosted: Wed Dec 08, 2004 9:41 am Reply with quote
just tried it - set httpauth to 1 per above ... was able to hit admin.php w/o any authentication prompts....
 
Raven
PostPosted: Wed Dec 08, 2004 9:47 am Reply with quote
Okay, it was worth a try. Also, will you look in your IIS setup/configuration to see if you have to do anything special for HTTPAuth to work?
 
gman04
PostPosted: Wed Dec 08, 2004 10:08 am Reply with quote
Just looked through everything in IIS - couldn't find anything specifically for HTTPauth

Did a quick google found some stuff - looks like my versions and everything are all correct ... the rest of this is greek to me on the PHP variable settings but maybe it'll make sense to you (some info on this page about httpauth and IIS)- http://us2.php.net/features.http-auth
 
gman04
PostPosted: Wed Dec 08, 2004 10:35 am Reply with quote
Well - one way to lock down the admin.php file - I just changed the perms on it to "deny" for the IIS guest internet account, and it required me to login with user account on the win2k3 box to get to the file, which I could.

I guess that would secure that file at least (I'll have to manually manage the users on the win box).... 'til we figure out the httpauth

but i guess this would bypass any benefits i get from sentinel Question
 
Raven
PostPosted: Wed Dec 08, 2004 11:56 am Reply with quote
You have all the other which is protection from exploits. Also, it dawned on me that your php is compiled as CGI so that's why the auth settings aren't showing up. Anyway, try thi
Code:
Regarding HTTP authentication in IIS with the php cgi 4.3.4, there's one more step. When using HTTP auth with the php CGI, you need to do the following things:





1. In your php.ini file, set "cgi.rfc2616_headers = 0"





2. In Web Site Properties -> File/Directory Security -> Anonymous Access dialog box, check the "Anonymous access" checkbox and uncheck any other checkboxes (i.e. uncheck "Basic authentication," "Integrated Windows authentication," and "Digest" if it's enabled.) Click OK.





3. In "Custom Errors", select the range of "401;1" through "401;5" and click the "Set to Default" button.





It's this last step that is crucial, yet not documented anywhere. If you don't, instead of the headers asking for credentials, IIS will return its own fancy but useless 'you are not authenticated' page. But if you do, then the browser will properly ask for credentials, and supply them in the $_SERVER['PHP_AUTH_*'] elements.
 
gman04
PostPosted: Wed Dec 08, 2004 10:13 pm Reply with quote
Ahhh - ok I guess that would do it ...

I'll try the above and let you know the results. (btw -you're awesome Raven! thanks much for the speedy replies and assistance!!!!)
 
Raven
PostPosted: Wed Dec 08, 2004 10:23 pm Reply with quote
RavensScripts
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm)


 Jump to:   




View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©