Post by Cloudeze » Wed Oct 25, 2017 2:45 am

Just installed my opencart 1.5.6.4 and notice in the "Basic Security Practices" http://docs.opencart.com/administration/security/ I need to create .htaccess in both catalog and system folder to protect "txt, php" but it's already included in the opencart .htaccess

Code: Select all

# Prevent Direct Access to files
<FilesMatch "\.(tpl|ini|log)">
 Order deny,allow
 Deny from all
</FilesMatch>
The only different noticed is the htaccess provided with the opencart download does not have FilesMatch for "php". Only "tpl,txt,log".

Do you guys think it's enough to add "php" in the root .htaccess or need to create a different .htaccess and put it in the catalog and system folders? Thanks.

Newbie

Posts

Joined
Sun Jul 16, 2017 12:23 am

Post by IP_CAM » Wed Oct 25, 2017 10:48 am

Well, my OpenCart SHOP-ROOT .htaccess file looks like this:

Code: Select all

<Files .htaccess>
order allow,deny
deny from all
</Files>

LimitRequestBody 750000

Options +SymLinksIfOwnerMatch

# Prevent Directory listing 
Options -Indexes

# Prevent Direct Access to files
<FilesMatch "(?i)(^\.|\.xml|\.txt|\.tpl|\.ini|\.log)">
Order deny,allow
Deny from all
</FilesMatch> 

# disable etags
FileETag none

# SEO URL Settings
RewriteEngine On

# If your opencart installation does not run on the Site ROOT folder,
# make sure you Folder it does run in, becomes by example: /shop/
RewriteBase /shop/

# whitelist of sites ALLOWED to access your content
# to activate, it requires to use your site name instead of:www\.)?evelo\.li(/) !!
# RewriteCond %{HTTP_REFERER} !^http://(www\.)?evelo\.li(/)?.*$  [NC]

#Force (http host) non www to www
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

RewriteRule ^sitemap.xml$ index.php?route=feed/google_sitemap [L]
RewriteRule ^googlebase.xml$ index.php?route=feed/google_base [L]
RewriteRule ^download/(.*) /index.php?route=error/not_found [L]
RewriteRule ^system/(.*) /index.php?route=error/not_found [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !.*\.(ico|gif|jpg|jpeg|png|js|css)
RewriteRule ^([^?]*) index.php?_route_=$1 [L,QSA]

# Enable Gzip Compression
AddOutputFilterByType DEFLATE text/text
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript

# Leverage Browser Caching
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/pdf "access plus 1 month"
ExpiresByType text/x-javascript "access plus 1 month"
ExpiresByType application/x-shockwave-flash "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresDefault "access plus 1 month"
</IfModule>

#<IfModule mod_headers.c>
#Header always set X-FRAME-OPTIONS "DENY"
#</IfModule>

<IfModule mod_headers.c>
Header always set X-XSS-Protection "1; mode=block"
</IfModule>

<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>

# Remove Browser Bugs
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent
And .htaccess files like this one below are usually
placed in the system/..., download/... + vqmod/... Sub:

Code: Select all

<Files *.*>
Order Deny,Allow
Deny from all
</FilesMatch>
and as you can see on the image below, GTMetrix has nothing to complain
about .htaccess - related/controlled doings !
Good Luck ;)
Ernie
---
Image

Attachments

gtmetrix_evelo_li_performance_test.jpg

gtmetrix_evelo_li_performance_test.jpg (186.33 KiB) Viewed 822 times


Ernie's OpenCart v.1.5.6.5 LIGHT + OpenShop Admin v.1.75 Test Sites
http://www.ebikes.li - http://www.evelo.li - http://www.openshop.li
Image


User avatar
Guru Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by Cloudeze » Wed Oct 25, 2017 8:21 pm

Ok, thank you so much for your reply :) Do you have an other methods to secure my OC 1.5.6.4?

Newbie

Posts

Joined
Sun Jul 16, 2017 12:23 am

Post by IP_CAM » Wed Oct 25, 2017 8:47 pm

Well, I also use a .htaccess file in the Site ROOT Section, because all my
TestShops are placed in a Subdirectory. And this Root .htaccess file contains
the IP-Ranges of those, trying to sneak in, in some screwy ways. It also reroutes
incorrectly 'arriving' visitors, to make sure, that only one way of access exists,
by example http://www.myshop , and not http://myshop , to make sure,
that FontAwesome Icons will display.

Sample ROOT .htaccess

Code: Select all

Options +SymLinksIfOwnerMatch
SetEnvIfNoCase User-Agent "^Wget" bad_bot

<Limit GET POST>
   Order Allow,Deny
   Allow from all
   Deny from env=bad_bot
</Limit>

# Prevent Directory listing 
Options -Indexes

<Files *>
order allow,deny
allow from all
deny from 5.77.34.
deny from 37.59.
deny from 37.128.
deny from 46.161.
deny from 46.229.
deny from 47.90.
deny from 51.255.
deny from 63.243.
deny from 66.148.
deny from 69.49.
deny from 77.244.
</Files>

# SEO URL Settings
RewriteEngine On

#Force (http host) non www to www (optional)
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

#Force (https host) non www to www (optional)
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
In addition, I use 301 Redirect Pages For OpenCart
https://www.opencart.com/index.php?rout ... n_id=25864
https://www.opencart.com/index.php?rout ... h=redirect
to reroute those, trying to find out, if possibly some open Doors exist anywhere.
---
Image
---
Still, you better use OC v.1.5.6.5_rc, since 1.5.6.4 still had some misses, fixed in the
latest Release. It can be found here, among a few other goodies:
http://www.bigmax.ch/shop/index.php?rou ... ation_id=4
Just overwrite your existing Code, it will not harm anything !
That's about it. :D
Ernie

Attachments

redirect.jpg

redirect.jpg (68.75 KiB) Viewed 786 times


Ernie's OpenCart v.1.5.6.5 LIGHT + OpenShop Admin v.1.75 Test Sites
http://www.ebikes.li - http://www.evelo.li - http://www.openshop.li
Image


User avatar
Guru Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by Cloudeze » Wed Oct 25, 2017 9:18 pm

Thank you soo much for your help. Appreciate you :) BTW, my products is downloadable, do you think my clients will not get any error when they download their product after adding .htaccess code in the /download folder?

Code: Select all

<Files *.*>
Order Deny,Allow
Deny from all
</Files>
Also, my shop still in the maintenance mode and notice some Guest IPs in the Customers Online Report tried something like that, I'm not sure where they found my shop because it's new.

Newbie

Posts

Joined
Sun Jul 16, 2017 12:23 am

Post by IP_CAM » Thu Oct 26, 2017 5:13 am

Well, this Script on the Product Page will automatically connect your Site to the World,
if you have the <?php if ($review_status) { ?> Setting activated, those Folks make
their living out of selling this kind of information ! :D

Code: Select all

<script type="text/javascript" src="//s7.addthis.com/js/250/addthis_widget.js"></script> 
And others will do the same as well, by example, if one uses externally hosted Fonts, Scripts,
or whatever. It's the price, one pays, to get all the stuff for free ! :laugh:
---
To the other matter, I never tested this, but basically, such .htaccess file only DENY a direct Access
to this Directory inside of your Shop Software, if called the 'regular' OC-way, it should work, I assume.
I would try, then you'll find out! :D
Ernie

Ernie's OpenCart v.1.5.6.5 LIGHT + OpenShop Admin v.1.75 Test Sites
http://www.ebikes.li - http://www.evelo.li - http://www.openshop.li
Image


User avatar
Guru Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by Cloudeze » Thu Oct 26, 2017 5:41 am

IP_CAM wrote:
Thu Oct 26, 2017 5:13 am
Well, this Script on the Product Page will automatically connect your Site to the World,
if you have the <?php if ($review_status) { ?> Setting activated, those Folks make
their living out of selling this kind of information ! :D

Code: Select all

<script type="text/javascript" src="//s7.addthis.com/js/250/addthis_widget.js"></script> 
And others will do the same as well, by example, if one uses externally hosted Fonts, Scripts,
or whatever. It's the price, one pays, to get all the stuff for free ! :laugh:
thanks for reply, but really Confused!! ??? Please explain and advise me on this part, because I didn't get what you said. What are you talking about? Is it about the downloadable product, anyone will have access to all my downloadable files once they pay only one time? What about the javascript file you wrote?

Newbie

Posts

Joined
Sun Jul 16, 2017 12:23 am

Post by IP_CAM » Thu Oct 26, 2017 8:50 am

Well, the upper Part of my Posting is related to your site beeing indexed already.
And the lower Part is related with the download function, you just have to make tests
on this with htaccess either placed in the download subdirectory, or then not.
Good Luck ! ;)
Ernie

Ernie's OpenCart v.1.5.6.5 LIGHT + OpenShop Admin v.1.75 Test Sites
http://www.ebikes.li - http://www.evelo.li - http://www.openshop.li
Image


User avatar
Guru Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by Cloudeze » Fri Oct 27, 2017 2:52 am

IP_CAM wrote:
Thu Oct 26, 2017 8:50 am
Well, the upper Part of my Posting is related to your site beeing indexed already.
And the lower Part is related with the download function, you just have to make tests
on this with htaccess either placed in the download subdirectory, or then not.
Good Luck ! ;)
Ernie
Ok. Thanks ;)

Newbie

Posts

Joined
Sun Jul 16, 2017 12:23 am
Who is online

Users browsing this forum: No registered users and 2 guests