• twitter image
  • facebook image
  • youtube image
  • linkedin image
Language: CMS Made Simple Czech CMS Made Simple France CMS Made Simple Spain CMS Made Simple Hungary CMS Made Simple Russia CMS Made Simple Netherlands

All times are UTC




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: Settings in htaccess causing login and upgrading problems?
PostPosted: Fri Mar 03, 2017 6:29 pm 
Offline
Forum Members
Forum Members
User avatar

Joined: Thu Dec 11, 2008 12:48 pm
Posts: 79
Location: Norway
Hi

Everytime I manage to log into admin again after I`ve had to restore everything (exept db) using a backup from january 27., I am locked out again after a few days (this time it took 9 days). During the time when I am actually able to log in, it`s not possible to do an upgrade. So something is definitely wrong. No entry in error log, and host can`t find anything wrong either.

Strange thing is that the only backup that works, is the one from january 27., an none of the newer ones. I am beginning to wonder if settings in my htaccess might actually cause the problem, because everytime after I`ve done a restore, I update the htaccess with my present settings.

I have two cmsms installations; one on the main domain and a mobile version on a sub domain to the same domain. When I get locked out it happens both places at the same time. Because of that, I wonder if the htaccess file on the main domain has a setting that affects both installations. I am not sure.

Is that a plausible cause for the problems I am describing? I would really appreciate any help with this.

Here is the htaccess file in question:

Code:
# BEGIN VALIDATE SSL
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^.well-known/pki-validation/fileauth.htm$ validate-ssl.txt [END]
</IfModule>
# END VALIDATE SSL

DirectoryIndex index.html index.php
Header set Connection keep-alive
Header append Vary: Accept-Encoding, User-Agent

# Control amount of info included by browser
Header always set Referrer-Policy: strict-origin-when-cross-origin

# Only allow Iframe from the same domain
Header set X-Frame-Options "SAMEORIGIN"

# Prevent mime based attacks
Header set X-Content-Type-Options "nosniff"

# Turn on IE8-IE9 XSS prevention tools
Header set X-XSS-Protection "1; mode=block"

#Security disable headers
Header unset X-powered-by
Header unset Server

# Disable all cookies
Header unset Cookie
Header unset Set-Cookie

# Create the ETag (entity tag) response header field
FileETag MTime Size

# 1 YEAR
<FilesMatch "\.(ico)$">
Header set Cache-Control "max-age=29030400, public"
</FilesMatch>
 
# 1 WEEK
<FilesMatch "\.(jpg|jpeg|png|gif|svg|pdf|css|js)$">
Header set Cache-Control "max-age=604800, public"
</FilesMatch>
 
# 5 HOURS
<FilesMatch "\.(xml|txt|html|htm|php)$">
Header set Cache-Control "max-age=18000, public"
</FilesMatch>

SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots
Deny from env=block_bad_bots

RewriteEngine On
# Redirect http://webpage to www.webpage
RewriteCond %{HTTP_HOST} !^www.webpage.no$ [NC]
RewriteRule ^(.*)$ http://www.webpage.no/$1 [L,R=301]
# Redirect server-IP to domain name
RewriteCond %{HTTP_HOST} ^2xx\.1xx\.2xx\.xx
RewriteRule ^(.*) http://www.webpage.no/$1 [R=301,L]

#Sub-dir e.g: /cmsms
RewriteBase /
# Rewrites urls in the form of /parent/child/
# but only rewrites if the requested URL is not a file or directory
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA]

# prevent looping
RewriteCond %{HTTP_HOST} !^mobil.webpage.no/$

# if the browser accepts these mime-types, it's definitely mobile, or pretending to be
RewriteCond %{HTTP_ACCEPT} "text\/vnd\.wap\.wml|application\/vnd\.wap\.xhtml\+xml" [NC,OR]

# a bunch of user agent tests
RewriteCond %{HTTP_USER_AGENT} "sony|symbian|nokia|samsung|mobile|windows ce|epoc|opera" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "mini|nitro|j2me|midp-|cldc-|netfront|mot|up\.browser|up\.link|audiovox"[NC,OR]
RewriteCond %{HTTP_USER_AGENT} "blackberry|ericsson,|panasonic|philips|sanyo|sharp|sie-"[NC,OR]
RewriteCond %{HTTP_USER_AGENT} "portalmmm|blazer|avantgo|danger|palm|series60|palmsource|pocketpc"[NC,OR]
RewriteCond %{HTTP_USER_AGENT} "smartphone|rover|ipaq|au-mic,|alcatel|ericy|vodafone\/|wap1\.|wap2\.|iPhone|android"[NC]

# put your rewrite rules here
RewriteRule ^(.*)$ http://mobil.webpage.no/  [L,R=302]

#
# The following are higly recommended security settings for files in your CMSMS install that should not be browsed directly
#
<Files ~ "\.htaccess">
  Order allow,deny
  Deny from all
</Files>
<Files ~ "\.ini$">
  Order allow,deny
  Deny from all
</Files>
<Files ~ "\.log$">
  Order allow,deny
  Deny from all
</Files>
<Files ~ "config\.php">
  Order allow,deny
  Deny from all
</Files>
<Files ~ "/lib/*php">
  Order allow,deny
  Deny from all
</Files>

RedirectMatch 403 ^.*/lib/.*\.php$
RedirectMatch 403 ^.*/tmp/.*\.php$
RedirectMatch 403 ^.*/modules/(?!TinyMCE/responsive_filemanager/filemanager/).*\.php$
RedirectMatch 403 ^.*/uploads/.*\.php$

# Remove browser bugs
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

<Files 403.shtml>
order allow,deny
allow from all
</Files>
deny from 188.143.232.1
deny from 188.143.232.2/31
deny from 188.143.232.4/30
deny from 188.143.232.8/29
deny from 188.143.232.16/28
deny from 188.143.232.32/27
deny from 188.143.232.64/26
deny from 188.143.232.128/25

RewriteCond %{HTTP_REFERER} !^http://webpage.no/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://webpage.no$      [NC]
RewriteCond %{HTTP_REFERER} !^http://mobil.webpage.no/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://mobil.webpage.no$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.webpage.no/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.webpage.no$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.mobil.webpage.no/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.mobil.webpage.no$      [NC]
RewriteCond %{HTTP_REFERER} !^https://webpage.no/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^https://webpage.no$      [NC]
RewriteCond %{HTTP_REFERER} !^https://mobil.webpage.no/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^https://mobil.webpage.no$      [NC]
RewriteCond %{HTTP_REFERER} !^https://www.webpage.no/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^https://www.webpage.no$      [NC]
RewriteCond %{HTTP_REFERER} !^https://www.mobil.webpage.no/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^https://www.mobil.webpage.no$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ - [F,NC]


LiteSpeed Server 6.10
Php 7.0
MySQL 5.6.35
CMS Made Simple version 2.1.6
All modules are latest versions:
AdminSearch
Captcha
CGExtensions
CMSContentManager
CMSMailer
DesignManager
FileManager
FormBuilder
Gbook
MenuManager
MicroTiny
ModuleManager
Navigator
News
Search
SiteMapMadeSimple
TinyMCE


Last edited by Trenia on Fri Mar 03, 2017 7:09 pm, edited 1 time in total.

Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Settings in htaccess causing login and upgrading problem
PostPosted: Fri Mar 03, 2017 7:08 pm 
Offline
Dev Team Member
Dev Team Member
User avatar

Joined: Tue Oct 19, 2004 6:44 pm
Posts: 7795
Location: Fernie British Columbia, Canada
Simple rule: Rules specified in .htaccess files apply to the directory of the .htaccess file AND all subdirectories.

So if you have one .htaccess file to cover multiple domains... then yeah, one .htaccess file could be causing your problem. But then, you haven't explained exactly what problem you are having. So I don't know.

If you suspect that something in your .htaccess is causing you problems then isolate the issue. Replace your .htaccess file with the sample one we provide. Or remove it all together (up to you).

One hint: don't cache php files.

_________________
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Settings in htaccess causing login and upgrading problem
PostPosted: Fri Mar 03, 2017 7:30 pm 
Offline
Forum Members
Forum Members
User avatar

Joined: Thu Dec 11, 2008 12:48 pm
Posts: 79
Location: Norway
Thank you calguy1000 :) Much appreciated.

I do have a htaccess file for the sub domain as well, but didn`t think of mentioning that. Sorry. Didn`t know about not caching php files. Good to know. I will update. Thanks.

What do you mean I didn`t exactly explain my problem? Please tell me what you would like to be specified. Trying my best here since I don`t really know what`s causing it (login and upgrading problem).


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Settings in htaccess causing login and upgrading problems?
PostPosted: Thu Mar 16, 2017 11:13 pm 
Offline
Forum Members
Forum Members
User avatar

Joined: Thu Dec 11, 2008 12:48 pm
Posts: 79
Location: Norway
SOLVED (?)

I had this setting in my htaccess that was causing login problems:

# Disable all cookies
Header unset Cookie
Header unset Set-Cookie

After removing both lines I was able to log again, also the mobile version on the sub domain.

When I run a website speed test at pingdom, I now get this: "Serve static content from a cookieless domain" Grade D (69/100)

Is there any other way to disable cookies, or maybe set cookies only for the admin login page or something? Or is cmsms dependent on setting cookies to work correctly?


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Settings in htaccess causing login and upgrading problem
PostPosted: Thu Mar 16, 2017 11:22 pm 
Offline
Dev Team Member
Dev Team Member
User avatar

Joined: Tue Oct 19, 2004 6:44 pm
Posts: 7795
Location: Fernie British Columbia, Canada
Quote:
Or is cmsms dependent on setting cookies to work correctly?


This has been asked and answered many times, many ways before... but I'll do it one more time.

CMSMS uses session cookies. Both on the frontend and on the backend.

These cookies are absolutely required for the admin login and for installation and upgrades.

For the frontend... well, it depends on your site, and the functionality you are using. You would need to have intimate knowledge of each module you are using and whether or not it uses the session before you could determine whether you could disable all cookies (including the harmless session cookie) that CMSMS creates automatically.

_________________
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Settings in htaccess causing login and upgrading problem
PostPosted: Thu Mar 16, 2017 11:28 pm 
Offline
Forum Members
Forum Members
User avatar

Joined: Thu Dec 11, 2008 12:48 pm
Posts: 79
Location: Norway
Thank you for taking the time to explain it once more :) I should have done a better job checking. Very relieved to have finally figured out what the problem was. Thank you for all help and patience.

Tom


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
A2 Hosting