Recent Changes - Search:

Users

Developers

Wiki help.

Securing Your Installation

In its current version, GTD-PHP leaves security features and access restrictions to be administered purely via the configuration of the web-server: the package is just as secure as you make your web-server; no more, and no less.

There's probably a million different scenarios of usage and access, each with its own configuration, so to keep things short we'll concentrate in this document on a few common and most useful securing techniques.

Trusted environment

If you're installing GTD-PHP in a trusted environment, where either you're the only one who will have access to its pages, or you know everyone who could potentially have access and can tell them to keep their hands off, than you probably don't need much additional security. This type of installation includes the following scenarios:

  • localhost installation, eg. your personal computer or laptop
  • intranet installation, accessible only on a local area network

Consider the situation carefully and if you still feel that your GTD-PHP installation should have a password-protected access, read on.

Limiting access on public servers

Whenever installing GTD-PHP on a publicly accessible server, where possibly anyone can open its pages, you need to use Apache's features (or those of your server of choice) to ensure access is limited to you only. This scenario includes:

  • shared, virtual hosting
  • dedicated servers
  • private servers, accessible from the outside
  • localhost installations on computers within large local networks (you wouldn't like your co-workers messing with your system, would you?)

Apache has an extensive article on access control, which you can study to find the right scenario for you.

In short, you must create a password file, by executing the command (substituting the path and login you want to use):

  htpasswd -c /path/to/file/.htpasswd [login_name]

The path should point to a directory, which is readable by Apache, but not accessible from the web. If you can't achieve that, ie. on shared hosting, put it in any directory, create a file in it named .htaccess and put the following lines inside:

  Order deny,allow
  Deny from all

Launching the above command will ask you for a password for the given particular login and afterwards create the file.

With the password file in place, go into the directory where GTD-PHP is installed and create a file there names .htaccess. Inside it put the following lines:

  Require valid-user
  AuthType Basic
  AuthName "GTD"
  AuthUserFile /path/to/file/.htpasswd

Save it and try opening your GTD-PHP. It should ask you for a login and password and after providing these successfully let you in.

If you after doing the above you receive notices of server errors (especially the 500 error), first check your .htaccess syntax. If all appears correct, contact your server administrator, since the cause of the problem may be a limitation on user-access set-up, which the administrator can change.

Intranet and extranet access combined

If you happen to be using a private server, which you would like to be easily accessible on a local network, while having protected access to it from the outside as well, there's an easy tweak to the password protected access configuration. Open the .htaccess file for the GTD-PHP folder and put a few more lines in:

  Order deny,allow
  Deny from all
  Allow from 192.168.0.
  Satisfy Any

Change 192.168.0. to whatever your local network addressing is. The above code with the password protection from the previous section will allow access to the system for any computer on the 192.168.0. network, while requiring all other computers to identify themselves with proper login and password data.

SSL connections

Since your GTD-PHP may contain sensitive data, you probably wouldn't like anyone to be able to intercept your password when logging in and gaining access. To make sure your login details remain safe, it is suggested, that you secure your connections, especially on the Internet, to the server hosting GTD-PHP with SSL. This section takes the following assumptions:

  • you know a bit about Apache
  • your GTD-PHP runs on a virtual host with the domain gtd.example.org (at least that's what we'll use in examples)
  • you have an SSL certificate for your server, either self-signed or bought from a CA

First make sure anyone accessing GTD-PHP is forced to use in through a secure connection, by permanently redirecting http requests to https (substitute your server's IP), adding the following into your virtual host configuration file:

  <VirtualHost [your_server_ip]:80>
      ServerName gtd.example.org
      ServerAlias *.gtd.example.org
      Redirect permanent / https://gtd.example.org/
  </VirtualHost>

Next, configure SSL for the https virtual host:

  <VirtualHost [your_server_ip]:443>
      [... ServerName, ServerAlias, DocumentRoot etc.]

      SSLEngine on
      SSLCertificateFile /path/to/cert.pem
      SSLCertificateKeyFile /path/to/key.pem

      <Location />
          SSLRequireSSL
      </Location>
  </VirtualHost>

Restart Apache and check your access. The browser should indicate that the connection is secured and you can safely browse GTD-PHP from anywhere in the world.

Documentation Advanced Topics

Edit - History - Print - Recent Changes - Search
Page last modified on July 19, 2008, at 12:32 PM