How to use PHP-Nuke under SSL

SSL encrypts data at layer 6 of the OSI Model. SSL doesn't necessarily keep hackers out, but rather encrypts the data so that IF a hacker is listening, it renders the data useless to the hacker. SSL is mainly used for e-commerce but is not limited to it, so you can certainly use it with PHP-Nuke.

To install SSL on your system, you need the openSSL package and the Apache modSSL module.

SSL will, by default, slow a site down. However not considerably, it does slow a site down due to encryption algorythms (don't worry, it's not a slowdown analogous to broadband vs. dialup).

SSL will NOT protect you from a user that knows the PHP-Nuke password of a user or is determined to apply the latest exploit to your site. It will only protect the traffic from eavesdroppers on the line. Nothing can totally protect you from this kind of attack - unless you probably sit the whole day in front of your computer, reading security advisories and taking action the very minute you read something about a new PHP-Nuke vulnerability. Of course you can take security measures for your site but you should not conclude that your site is now secure just because you are using SSL!

After installing Apache with openSSL and modSSL to make your site more secure, you will be connecting to it with the HTTPS protocol and, accordingly, your site will be accessible as https://www.yoursite.com (notice the extra "s" after "http"). But now every page of your site popps up with a Seuciryt Information Alert like this:

This Page contains both secure and nonsecure items. Do you want to display the nonsecure items? Yes - No - More Info

Of course, this is normal after installation of SSL. The reason is that many PHP-Nuke blocks get their images from other sites . You will find out that the browser will nerve you with questions like the above and will NOT display images, showing rather a broken key in their place, if the images come from outside the SSL domain.

The only solution to this annoyance is to write "SSL versions" of the relevant blocks that will store the image in a local directory and then display the image from that directory, instead from the remote one.

To save the image locally, you can use for example:

require_once "includes/SSL.php"; $myurl = "http://www.someremotesite.com/somedir/someimage.jpg"; $myfile = "localtmpdir/mylocalimage.jpg"; $content = ""; saveimage($myurl, $myfile, $content);

in the block code, where includes/SSL.php is

function saveimage($imagefileurl, $tempfile, &$content) { if (time() - filemtime($tempfile) > 3600); { if (!($imagefile = fopen( "$imagefileurl", "rb"))) { $content .= "$imagefileurl could not be opened "; die(); } $imagecontent .= fread($imagefile, 300000); fclose($imagefile); if (!($localimagefile = fopen($tempfile , "wb"))) { $content .= "$tempfile could not be opened "; die(); } fwrite($localimagefile, $imagecontent); fclose($localimagefile); } return 1; } ?>

the idea being that we only download the remote file to the local one if the remote file's modification time is older that one hour (3600 sec.).

If you want to restrict SSL only on certain directories for the above reasons, you wil have to find a way to enforce the HTTPS protocol in some directories and enforce HTTP on others. Note that will have to enforce HTTP on the directories that don's need encryption, otherwise a secure (and slow) connection will still be possible and your users might not notice that they are still using encryption in pages that don't matter (if they come to those pages from an encrypted page through a relative link, for example).

You can try mod_rewrite to force HTTPS on some URLs and force HTTP on others: using SERVER_PORT, you can check the current port is not 443 (the standard HTTPS port), and thus to force HTTPS when entering the /dir/ directory, use:

# /dir/.htaccess RewriteEngine On RewriteCond %{SERVER_PORT}!443 RewriteRule ^(.*)$ https://www.x.com/dir/$1 [R,L]

And because HTTPS is slower than HTTP, take the users out of HTTPS mode when they leave the /dir/ directory by:

# /.htaccess RewriteEngine On RewriteCond %{SERVER_PORT} 443 RewriteRule ^(.*)$ https://www.x.com/$1 [R,L]

The above code should be in a .htaccess file in the respective directory, but you can achieve the same result much faster if you have access to the web server configuration file and use the directive.

Configure PHP5 and MySQL(Local System)

The following is the way to configure PHP5 and MySQL



a) Enable php_mysql.dll in php.ini and make extension_dir = C:\PHP\ext (This is the path where php_mysql is found)

Be 100% certain you are editing the proper php.ini*


b) Copy the libmySQL.dll from the PHP folder to the Php/ext folder and also to System32 folder.(This is the step most miss) Essentially it needs to be available to your systems PATH.



c) Ideally we'll edit the Windows system PATH environment variable to include the PHP dir.Doing so would however require a reboot of Windows but in the end is worth it as it means all PHP files are in ONE directory so upgrades are easy.


d) Also required is to add PHPRC and new field in the Windows System ,Envirnioment Variable.and give the "value" as the path of your php.ini file
To do the step c and d Right Click on MyComputer -->properties --> Advanced Tab -->Down we have Environment Variable and under System Variable heading we have a line PATH that's where we have to add the path for PHP i.e. where the PHP is loaded.



For any other issues or clarification please write back to me or I have the link below
* http://php.net/manual/en/install.windows.manual.php
* http://php.net/manual/en/faq.installation.php

Fatal error: Call to undefined function: mysql_connect()

If you Get this Error (Fatal error: Call to undefined function: mysql_connect())
Check your Log files..

I was getting these Error Messages too,which was the main cause.
PHP Warning: Unknown(): Unable to load dynamic library '/usr/lib/php/domxml.so' - /usr/lib/php/domxml.so: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning: Unknown(): Unable to load dynamic library '/usr/lib/php/imap.so' - /usr/lib/php/imap.so: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning: Unknown(): Unable to load dynamic library '/usr/lib/php/mbstring.so' - /usr/lib/php/mbstring.so: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning: Unknown(): Unable to load dynamic library '/usr/lib/php/mysql.so' - /usr/lib/php/mysql.so: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning: Unknown(): Unable to load dynamic library '/usr/lib/php/pgsql.so' - /usr/lib/php/pgsql.so: cannot open shared object file: No such file or directory in Unknown on line 0

The Reason that we are getting these Errors is very simple.
The PHP4 is not able to read the files mysql.so,..and the others.

The simple change that I made was just to rename the folder from /usr/lib/php4 to /usr/lib/php.

Configure Apache,MySQL,PHP(Windows)

How to setup the Apache Server on Windows

Requirement:

Microsoft Windows (www.microsoft.com )
Apache Server (www.apache.org ) Download: Win32 Binaries(installer)
PHP (www.php.net ) Download: Win32 Binaries(get zip, not installer)
mySQL (www.mysql.com ) Download: Win32 Binaries(installer) Find the Latest

Install Apache Server/PHP/MySQL

1) You better install MySQL first, so it will be stable and no problem when you are running the first time Apache Server. Runs the installer of MySQL that you have downloaded. Make sure it install at "C:\mysql" (default). Do not run it when you are finish with the installer! Wait until later.


2) Run the installer of Apache Server that you have downloaded. The newest version of Apache Server made your life easier, but I am going to still teach you how to configuration it. Install it to "C:\Program Files\Apache Group\Apache" (default). You can make up on each box like "host name, email, or etc.." while you are install, because you will configuration it anyway when you are finish with the installer. Do not run it when you are finish with the installer! wait until later.

3) Unzip (if you get the zipped verion) or install (if you get the installer version) PHP that you have downloaded. Make sure it unzip or install at "C:\php" (default). Do not run it when you are finish with the installer! Wait until later.


Configuration Of The Apache Server

1) You will need to configure a file called httpd.conf at "C:\Program Files\Apache Group\Apache\conf". You will need to open it with notepad or your favorite editor. I am going to explain you step by step to edit it. Also, I am going to explain you why to edit them so you can edit them to enable or disable on your own in the future. The next step is going to begin to search, edit and replace few lines.


2) Find "ServerAdmin webmaster@localhost.com" replace it to your email address. You better put your email because when someone got problem with your server and they will see your email, so they can contact you.


3) Find "ServerName" or "#ServerName localhost" replace it to "ServerName localhost". There has very clearly explain in this file when you find "ServerName",

4) Find "DirectoryIndex index.html" and replace it to "DirectoryIndex index.htm index.html index.php index.php3 index.phtml index.shtml index.cgi index.pl". It's for where file you want it to be in front page on www.domain.com. Common always has index.html as the front page. I added a lot of those, so I don't need to edit this file again. It's in the order, which will recognize index.html first then index.pl at the last.

5) Find "Options Indexes FollowSymLinks MultiViews" and replace it to "Options Indexes FollowSymLinks Includes" if you want SSI (Server Side Includes) enable, unless you want keep it disabled. If you do want SSI then change your order of index's in the previous set to make
index.shtml the first.

6) Find "AllowOverride None" right after "Options Indexes FollowSymLinks MultiViews" (above) and replace it to "AllowOverride All" to have the ability control the .htaccess files to override in directories, unless you want keep it uncontrolled.


7) Find "ScriptAlias /cgi-bin/ "C:/Program Files/Apache Group/Apache/cgi-bin/"" and add "ScriptAlias /php/ "c:/php/"" right after it. This will enable the PHP in your Apache Server. You don't have to add it if you don't wish to add PHP.


8) Find " # And for PHP 4.x, use:" and add 2 lines, "AddType application/x-httpd-php .php .php3 .phtml" and "AddType application/x-httpd-php-source .phps" right after it. It will make Apache Server able to accept and view files with the extentions php, php3 and phtml. Again, you don't have to add it if you do not wish to add PHP.


9) Find "#AddHandler cgi-script .cgi" and replace it to "AddHandler cgi-script .cgi .pl". Reason why I added ".pl", is so Apache Server will accept and able to view either files with extentions of either cgi and pl as perl files. If you do not do this your .pl scripts will be an unreconized file extention and your users will be prompted to download the file instead of view it as a page. You can add or make up like ".blah" and it will still view as normal like cgi and pl files.


10) Find "#AddType text/html .shtml" and replace it to "AddType text/html .shtml". It will enable SSI, so you can leave it as disabled if you don't wish to enable SSI.

11) Find "#AddHandler server-parsed .shtml" and replace it to (add two lines) "AddHandler server-parsed .shtml" and "AddHandler cgi-script .shtml". It will enable the server to render both normal html based includes aswell as cgi scripts, so you can leave it as disabled if you don't wish to enable SSI.


12) Find "# Format: Action handler-name /cgi-script/location" and add "Action application/x-httpd-php /php/php.exe" right after it. It need to local where the PHP's directory, so it will able to view the PHP files. You don't have to add it if you don't want to have PHP in your Apache Server.


You are done with configuration Apache Server!

Configuration Of mySQL

1) Runs winmysqladmin.exe at "C:\mysql\bin".

2) After, you run this winmysqladmin.exe you should see the first thing is user and password. You create your localname (user) and password. You will have to remember it if you want something to run mySQL on your website.


3) Exit winmysqladmin.exe.

you are done with configuration mySQL.

Configuration Of PHP

1) Find php.ini-dist file at "C:\php" and rename it to "php.ini".

2) Open php.ini with notepad or your favorite editor.


3) Find a line "extension_dir = ./" then change it to "extension_dir = "c:\php"".

4) Copy the php.ini and paste it at "C:\windows" or "C:\winnt", or wherever you usually put your *.ini files, but the best idea to put it at either "C:\windows" or "C:\winnt".


5) Copy the msvcrt.dll and php4ts.dll from PHP directory to "C:\windows\system" or "C:\winnt\system", or wherever you usually put your *.dll files, but the best idea to put it at either "C:\windows" or "C:\winnt".


You are done with configuration PHP!

First Time Run your Apache Server You will need to reboot your machine when you are done with the above steps.
After that, the Apache Server and mySQL should be run automaticly on Windows 2000 Professional. I doubt Apache Server will run automaticly on Windows 95/98/98SE/ME, so you will have to start it by yourself in the menu at "Start > Apache httpd Server > Control Apache Server > Start". *Warning, you will have to restart your Apache Server each time when you edit Apache Server's system file.*


Anyway, let's begin to test your Apache Server, Perl, PHP, mySQL to see if those are working great. Here are more steps again.

1) To test the Apache Server, open your browser and type "<>", "" or your IP address. If you don't get any errors, but some names like: "Apache blah blah" with an apache image. Woohoo, everything is fine with Apache Server!


2) To test the PHP/mySQL, copy the script below and save it as "test.php". Now, you must remember the user and password that you created when you ran winmysqladmin.exe at "mySQL Configuration" section. Replace "localhost" and "password" to your user and password that you have created.







Be sure to put them both at "C:\Program Files\Apache Group\Apache\htdocs". This is place where you will put html, php, images and others in this directory, type " http://localhost/test.php".
If you don't get any errors, but look like either three of those below.

mysql
mysql test
sample_db
Then its DONE...!!!