How to secure Lasso Admin pages

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

How to secure Lasso Admin pages

CoMedia
Dear list,

Has there ever been a decent discussion about what is the best way to secure the Lasso Admin pages (Database browser, SiteAdmin, etcetera)? I couldn'f find it in the archives.

Right now the admin pages are at the obvious url (e.g. http://www.mydomain.com/siteadmin.lassoapp) all passwords are sent in the clear. I would like to give the admin it's own subdomain (http://siteadmin.mydomain.com) and connect only through https. Any pointers?

Best regards, Alfred
Reply | Threaded
Open this post in threaded view
|

Re: How to secure Lasso Admin pages

Bil Corry-3
CoMedia wrote on 5/1/2009 3:52 PM:
> Has there ever been a decent discussion about what is the best way to secure
> the Lasso Admin pages (Database browser, SiteAdmin, etcetera)? I couldn'f
> find it in the archives.
>
> Right now the admin pages are at the obvious url (e.g.
> http://www.mydomain.com/siteadmin.lassoapp) all passwords are sent in the
> clear. I would like to give the admin it's own subdomain
> (http://siteadmin.mydomain.com) and connect only through https. Any
> pointers?

I do this within my vhost to force the admin lassoapps to HTTPS:

    RewriteCond %{HTTPS} off
    RewriteRule (?i)^.*(ServerAdmin|SiteAdmin|DatabaseBrowser|GroupAdmin|LassoStudio).*\.LassoApp$ <a href="https://www.site.tld%">https://www.site.tld%{REQUEST_URI}


And I do this within LassoStartup to restrict access to specific IP addresses:

[

// This will restrict admin LassoApps to specified IPs

define_atBegin({

if( response_filepath->endswith('.lassoapp') ); // only worry about LassoApps

        if( client_ip != '127.0.0.1' && client_ip != '::1' && client_ip != '100.100.100.*' ); // list all authorized IP addresses here

                if(
                        // These are optional to lock down, just comment them out if you want to allow anyone to use them
                        response_filepath->split('/')->last->beginswith('LJAX') ||
                        response_filepath->split('/')->last->beginswith('RPC') ||
                        response_filepath->split('/')->last->beginswith('Reference') ||

                        // these should always be locked down
                        response_filepath->split('/')->last->beginswith('DatabaseBrowser') ||
                        response_filepath->split('/')->last->beginswith('GroupAdmin') ||
                        response_filepath->split('/')->last->beginswith('LassoStudio') ||
                        response_filepath->split('/')->last->beginswith('ServerAdmin') ||
                        response_filepath->split('/')->last->beginswith('SiteAdmin')

                );

                        content_header->replace('200 OK','403 Forbidden');
                        content_body = '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
                        <html>
                                <head>
                                        <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
                                        <title>Restricted Access</title>
                                </head>
                                <body style="background: white;">
                                        <h1>Error</h1>
                                        You are not authorized to access administrative LassoApps.
                                </body>
                        </html>';
       
                        abort;

                /if;
        /if;
/if;

});

]



- Bil


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: How to secure Lasso Admin pages

CoMedia
bilcorry wrote
CoMedia wrote on 5/1/2009 3:52 PM:
> Has there ever been a decent discussion about what is the best way to secure
> the Lasso Admin pages (Database browser, SiteAdmin, etcetera)? I couldn'f
> find it in the archives.
>
> Right now the admin pages are at the obvious url (e.g.
> http://www.mydomain.com/siteadmin.lassoapp) all passwords are sent in the
> clear. I would like to give the admin it's own subdomain
> (http://siteadmin.mydomain.com) and connect only through https. Any
> pointers?

I do this within my vhost to force the admin lassoapps to HTTPS:

    RewriteCond %{HTTPS} off
    RewriteRule (?i)^.*(ServerAdmin|SiteAdmin|DatabaseBrowser|GroupAdmin|LassoStudio).*\.LassoApp$ <a href="https://www.site.tld%">https://www.site.tld%{REQUEST_URI}


And I do this within LassoStartup to restrict access to specific IP addresses:

[

// This will restrict admin LassoApps to specified IPs

define_atBegin({

if( response_filepath->endswith('.lassoapp') ); // only worry about LassoApps

        if( client_ip != '127.0.0.1' && client_ip != '::1' && client_ip != '100.100.100.*' ); // list all authorized IP addresses here

                if(
                        // These are optional to lock down, just comment them out if you want to allow anyone to use them
                        response_filepath->split('/')->last->beginswith('LJAX') ||
                        response_filepath->split('/')->last->beginswith('RPC') ||
                        response_filepath->split('/')->last->beginswith('Reference') ||

                        // these should always be locked down
                        response_filepath->split('/')->last->beginswith('DatabaseBrowser') ||
                        response_filepath->split('/')->last->beginswith('GroupAdmin') ||
                        response_filepath->split('/')->last->beginswith('LassoStudio') ||
                        response_filepath->split('/')->last->beginswith('ServerAdmin') ||
                        response_filepath->split('/')->last->beginswith('SiteAdmin')

                );

                        content_header->replace('200 OK','403 Forbidden');
                        content_body = '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
                        <html>
                                <head>
                                        <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
                                        <title>Restricted Access</title>
                                </head>
                                <body style="background: white;">
                                       

Error

                                        You are not authorized to access administrative LassoApps.
                                </body>
                        </html>';
       
                        abort;

                /if;
        /if;
/if;

});

]



- Bil


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

I already had thought in this direction, but didn't realise I could use the define_atBegin tag for this. As always with Bils solutions it works like a charm! Thanks, Bil. --Alfred