Admin Panel 2: Admin Panel Configuration

Revision as of 17:54, 26 June 2008 by Ric (talk | contribs) (New page: {{Uc_nav_apanel2}} This page allows you to set-up a username and password to access Admin Panel. To use this feature you need to activate it in the file /home/admin/www/.htaccess file I ha...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Admin Panel 2

This page allows you to set-up a username and password to access Admin Panel. To use this feature you need to activate it in the file /home/admin/www/.htaccess file I have provided a detailed description how to do this see below.

Defaults

Name Default value  
Username: root This form displays current settings, which is “root” for both name and password.
Password: root When you choose your own make sure they are different.

After saving your user name/password pair you can find them in file .htpasswd this file is located in folder *\Uniform Server\udrive\htpasswd\home\admin\www

Top

Security

A very important point to note, for security reasons folder htpasswd is placed outside of the root folder www. Apache only serves data from designed root folders UniServer’s default installation has one public root folder www; hence apanel's name and password cannot be severed to the Internet.

Automatic protection

UniServer's admin root folder (*\Uniform Server\udrive\home\admin\www) contains a special file named .htaccess it protects this root folder and all folders and files below it. The default Apache command settings within this file restrict access to localhost. The name/password pair set above have no effect until enabled in the .htaccess file see below.

Name/password pair access

Enabling Apache commands in .htaccess you can force a user on your machine (or Internet) to enter a name and password to gain access to the admin area.

Do not add your own Apache commands to this file. The file provided splits into three main sections, understanding their interaction is important especially when you want to access apanel from the Internet. (For a production server I personally would not recommend Internet access to apanel however the choice is yours.)

Top

.htaccess - Apanel

The remainder of this section looks at the file .htaccess in more detail. It is a text file; to edit open in any text editor but never use a word processor they add special characters and screw text files up badly.

Uniform server uses several .htaccess files, each protecting a particular area of the server. This one protects apanel and can be found in folder: *\Uniform Server\udrive\home\admin\www

The file looks like this:

# This file provides security to the server limiting access to the localhost only.
# Comment to deactivate.

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

# To disallow execution of cgi scripts in this directory comment next two lines.

AddHandler cgi-script .bat .exe .pl .cgi
Options +ExecCGI

#--
# Activate this to use the Admin Panel Feature!
#--
# To lock Admin Panel, uncomment the next 4 lines.
# Defaults: Username - root; Password - root

#AuthName "Uniform Server - Admin Panel 2.0"
#AuthType Basic
#AuthUserFile /htpasswd/home/admin/www/.htpasswd
#Require valid-user

I have split the above into three sections, describing each section in detail at the end I combined all three section.

Top

Localhost access to Apanel

The securest way to access apanel is using localhost (UniServer’s default) note the last three lines in section one shown below are uncommented making them active. These three Apache instructions are what I would call a cosey little group meaning you will always find then arranged this way.

The first line states that the next two instructions will be executed in this order Deny and then Allow. If you had twenty Allow instruction followed by one Deny all those Allow instructions would be ignored and the Deny would be executed. Apache would then look for the first occurrence of Allow and execute it.

You must have that first line. It is normal practice to write the next two instructions in the order stated.

Deny from all, means just that no one has access to the Apache server. Now we make one exception Allow from port 127.0.0.1 this is localhost IP adress (the PC that Apache is running on)

File .htaccess Located in folder *\Uniform Server\udrive\home\admin\www
Code Comment

# This file provides security to the server limiting access to the localhost only.
# Comment to deactivate.

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

Section 1) The last three lines are uncommented this means they are active and protecting the folder, where .htacces resides and all its sub-folders

Note: This is the default for all Uniform Servers .htaccess files.

Top

Internet access to Apanel

If you must have access to apanel over the Internet enable password protection see section three. You must also disable local protection by commenting out the last three lines in section one. Doing this allows public access; anyone on the Internet now has access to your admin panel's area. If you have enabled password protection they are restricted from this area until a name/password pair are entered.

File .htaccess Located in folder *\Uniform Server\udrive\home\admin\www
Code Comment

# This file provides security to the server limiting access to the localhost only.
# Comment to deactivate.

#Order Deny,Allow
#Deny from all
#Allow from 127.0.0.1

Section 1) The last three lines are commented this means they are inactive and not protecting the folder or its sub-folders

Note: You MUST uncomment the last four lines in section 3) and have changed the name and password for apanel.

Top

Script execution

For completeness I have included this section however you must not change any part of it for correct operation of apanel and your server.

All root folders by default are not allowed to run cgi scripts. In order to run scripts you need to inform Apache accordingly the two lines in htaccess section 2 do this.

Apache has no concept of user file extensions your Perl scripts could have the extension .plug, .zap or whatever. To cater for this Apache has a number of small helper programs that handle this situation. The handler program for cgi scripts is named “cgi-script” you pass information to this program by following the name with the file extensions that you are using for your scripts. For example cgi-script .zap .pl the handler program informs Apache that these files are cgi scripts and to be treated accordingly.

To run the handler program it needs adding to Apache using the command AddHandler. As a user you need to inform Apache what you want to do with the scripts. You have two options either to run or not run the scripts.

To allow execution of scripts you use the following option +ExecCGI the default is –ExecCGI

File .htaccess Located in folder *\Uniform Server\udrive\home\admin\www
Code Comment

# To disallow execution of cgi scripts in this directory comment next two lines.

AddHandler cgi-script .bat .exe .pl .cgi
Options +ExecCGI

Section 2) DO NOT change this section it allows execution of scripts and programs.

Note: Only shown for completeness.

Top

Name Password Protection

The final section of htaccess deals with apanel name and password protection by default this is disabled. If you have disabled localhost protection (see section 1) you must enable this section otherwise anyone on the Internet can view and use apanel and destroy your server.

File .htaccess Located in folder *\Uniform Server\udrive\home\admin\www
Code Comment

#--
# Activate this to use the Admin Panel Feature!
#--
# To lock Admin Panel, uncomment the next 4 lines.
# Defaults: Username - root; Password - root

#AuthName "Uniform Server - Admin Panel 2.0"
#AuthType Basic
#AuthUserFile /htpasswd/home/admin/www/.htpasswd
#Require valid-user

Section 3) All lines are commented out this becomes unsafe if you have disabled localhost protection see section 1).

Note: This is Uniform Server's default remember that localhost protection is enabled by default hence is safe.

Uncomment the last four lines to enable password protection. Any user trying to view apanel will be requested to enter a name and password. This is the name/password pair you entered from apanel using the above form.

File .htaccess Located in folder *\Uniform Server\udrive\home\admin\www
Code Comment

#--
# Activate this to use the Admin Panel Feature!
#--
# To lock Admin Panel, uncomment the next 4 lines.
# Defaults: Username - root; Password - root

AuthName "Uniform Server - Admin Panel 2.0"
AuthType Basic
AuthUserFile /htpasswd/home/admin/www/.htpasswd
Require valid-user

Section 3) Last four line are uncommented this enables name/password protection and makes it safer.

The first line AuthName "Uniform Server - Admin Panel 2.0" contains text that is displayed in the authentication required pop-up window, change this to match your web site.

 

  • AuthType Basic - The name and password are not saved encrypted plain text is used hence why they are not stored in the root folder.
  • AuthUserFile /htpasswd/home/admin/www/.htpasswd - This is the path to apanel's password file and informs Apache where to find it.
  • Require valid-user - This informs Apache authentication must be used to access this folder (apanel's pages).

Note: Its not just the root folder that is protected all folders and files within it are protected. Typing any page name directly into a browser that is within apanel's folder will require authentication for first time access.

Top

Summary - Apanel

To make it 100% clear I have show two complete .htaccess files the default for local access only and the changes required for Internet access to apanel.

Local access (default)

File .htaccess Located in folder *\Uniform Server\udrive\home\admin\www
Code Comment

# This file provides security to the server limiting access to the localhost only.
# Comment to deactivate.
Order Deny,Allow
Deny from all
Allow from 127.0.0.1

Section 1) The last three lines are uncommented this means they are active and protecting the folder, where .htacces resides and all its sub-folders

Note: This is the default for all Uniform Servers .htaccess files.

# To disallow execution of cgi scripts in this directory comment next two lines.
AddHandler cgi-script .bat .exe .pl .cgi
Options +ExecCGI

Section 2) DO NOT change this section it allows execution of scripts and programs.

Note: Only shown for completeness.

#--
# Activate this to use the Admin Panel Feature!
#--
# To lock Admin Panel, uncomment the next 4 lines.
# Defaults: Username - root; Password - root
# AuthName "Uniform Server - Admin Panel 2.0"
# AuthType Basic
# AuthUserFile /htpasswd/home/admin/www/.htpasswd
# Require valid-user

Section 3) Last four lines are commented this disables name/password protection.

Note: For local access there really is no point in enabling this section! If you like annoying pop-ups you can enable this however its real purpose is for Internet access protection.

Internet access

File .htaccess Located in folder *\Uniform Server\udrive\home\admin\www
Code Comment

# This file provides security to the server limiting access to the localhost only.
# Comment to deactivate.
#Order Deny,Allow
#Deny from all
#Allow from 127.0.0.1

Section 1) To allow access to apanel over the Internet comment the last three lines in this section.

  • You MUST uncomment the last four lines in section 3)
  • You MUST change the name and password for apanel.

# To disallow execution of cgi scripts in this directory comment next two lines.
AddHandler cgi-script .bat .exe .pl .cgi
Options +ExecCGI

Section 2) DO NOT change this section it allows execution of scripts and programs.

Note: Only shown for completeness.

#--
# Activate this to use the Admin Panel Feature!
#--
# To lock Admin Panel, uncomment the next 4 lines.
# Defaults: Username - root; Password - root
AuthName "Uniform Server - Admin Panel 2.0"
AuthType Basic
AuthUserFile /htpasswd/home/admin/www/.htpasswd
Require valid-user

Section 3) To password protect apanel uncomment the last four lines in this section.

  • You MUST have this enabled when you uncomment the last three lines in section 1)
  • You MUST have changed apanel's name and password.

Note: Both local and Internet access will now require authentication.

Top


  Ric