plainblack.com
Username Password
search
Bookmark and Share
Subscribe

What to do if privileges on the uploads directory don't seem to work

NOTE:

This issue should be fixed in recent versions of the WRE 0.8.x via rewrite rules in the modproxy template file which check for the existence of a .wgaccess file. However, as of v0.8.5, the rewrite rule which checks for the .wgaccess file is wrong (see this support ticket). Replace the $ with a % in the 2nd rewrite rule to get this to work. Hopefully this problem will be addressed in the next release of WRE.

To fix all of mod_proxy configuration files automatically issue the following command from the command line as a user with write privileges to these files:

sed -i 's/${DOCUMENT_ROOT}/%{DOCUMENT_ROOT}/' /data/wre/etc/*.modproxy

As always make a backup before you proceed. The files to back up are in /data/wre/var/etc. After fixing you config files, restart modproxy.

Introduction

If anybody can access your files and images in the uploads directory regardless of the privileges you assign to them AND you are running the wre, the following is probably the case.

Why does it happen?

The wre consists of two webservers: one server that actually runs WebGUI, and another which is called a reverse proxy. The reverse proxy is where the actual requests from browsers arrive. What the proxy does is relay these requests to the WebGUI server. The WebGUI server responds to this relayed request by generating a page and send that page back to the proxy server. The proxy, finally, relays the page back to the browser. This particular setup was chosen for performance reasons. 

Now the proxy server is configured by default to bypass WebGUI when files are requested for further performance gain. This gain comes from not having to build a session and do authentication when serving files. In other words, in the default wre configuration the proxy server does not relay request for files in the uploads directory to the WebGUI server.

The drawback of this configuration is  that the proxy server cannot do authentication of your file because it doesn't run WebGUI.

How do I fix it?

You'll have to tell the proxy server that requests for the uploads directory must be relayed to the WebGUI server too.

The configuration files are in the following directory:

	/data/wre/etc/

and are called:

	www.mysite.com.modproxy

where you should substitute www.mysite.com with the name of your site.

Now edit that file and find the following line:

	 RewriteRule ^/uploads/ - [L]

and disable it by putting a hash symbol (#) in front of it, like this:

	 # RewriteRule ^/uploads/ - [L]

Now save the file and restart the proxy server by issuing the following command so that your changes are taken into effect

If you run WRE 0.7, do: 

	/data/wre/sbin/rc.webgui restartmodproxy 

If you run WRE 0.8, do:

	 /data/wre/sbin/wreservice.pl --restart modproxy

Note that you must be root to be able to restart the server.

A bugreport about this bug has been submitted. 

Keywords: configuration privileges proxy uploads wgaccess WRE

Search | Most Popular | Recent Changes | Wiki Home
© 2018 Plain Black Corporation | All Rights Reserved