Security with .htaccess on Linux

More
2 years 1 month ago #127293 by statman13
statman13 created the topic: Security with .htaccess on Linux
There are suggestions for increased security which might be left out by many users of Limesurvey:
manual.limesurvey.org/Installation_security_hints

It must be possible to define restrictions in .htaccess files for hosted limesurvey solutions (user is *not* root) to accommodate the level of security suggested by the guide. Defining restrictions in htaccess files is a more universal solution in a Linux environment. Please consider this as an option for users of Linux/MySQL. :)

Please Log in to join the conversation.

More
2 years 1 month ago #127302 by DenisChenu
DenisChenu replied the topic: Security with .htaccess on Linux
Yes, BUT : if server have some restriction : this can go to a 500 error.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .

Please Log in to join the conversation.

More
2 years 1 month ago #127322 by statman13
statman13 replied the topic: Security with .htaccess on Linux
I suppose you could test those limitations during installation.
Putting a file in a folder together with an appropriate .htaccess file and test access limitations.

It would take a lot of stress of the shoulders of the users.

Please Log in to join the conversation.

More
2 years 1 month ago #127331 by holch
holch replied the topic: Security with .htaccess on Linux
I think limiting access with .htaccess should be done by each linux server administrator for the individual server environment.

I'm not a LimeSurvey GmbH member. I answer at the LimeSurvey forum in my spare time. No support via private message.
Some helpful links: Manual (EN) | Question Types | Workarounds
The following user(s) said Thank You: DenisChenu

Please Log in to join the conversation.

More
2 years 2 days ago #128525 by htwsaar
htwsaar replied the topic: Security with .htaccess on Linux
Problem is that not every LS system administrator is the web server administrator, too.

And, not every .htaccess feature is allowed to be used on every web server by rules made by the web server administrator, not by the LS administrator.

I had that problem concerning my wishes to forbid admin login on LS from the public internet.
At the end, I had to do some changes to the php source to fulfill my needs.

Please Log in to join the conversation.

More
2 years 2 days ago #128528 by holch
holch replied the topic: Security with .htaccess on Linux
To install Limesurvey on your server, you need to be somehow a web server administrator. If you can upload the limesurvey files to install limesurvey, you should also able to upload .htaccess files.

If certain .htaccess features are not allowed to use, then even if the feature would be implemented in LS it wouldn't work. So I don't see much difference here. But maybe I am overlooking something.

I'm not a LimeSurvey GmbH member. I answer at the LimeSurvey forum in my spare time. No support via private message.
Some helpful links: Manual (EN) | Question Types | Workarounds

Please Log in to join the conversation.

More
2 years 2 days ago #128535 by htwsaar
htwsaar replied the topic: Security with .htaccess on Linux
There actually is a difference between to just be able to upload some files to a webspace and managing a whole Server with several virtual hosts etc.

LS could have its own security settings, not using .htaccess what is not always in the hands of the LS administrator.
That would help.

Please Log in to join the conversation.

More
2 years 1 day ago #128546 by DenisChenu
DenisChenu replied the topic: Security with .htaccess on Linux
I already use afterPluginLoad to add some script only for admin. This plugin event can be used to disallow access by some URL.

See : github.com/Shnoulle/Piwik-for-Limesurvey...PiwikPlugin.php#L214

Denis

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .

Please Log in to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now
Join our Newsletter!