Items filtered by date: December 2015
cPanel SSL SNI research
In a world where IPv4 addresses have run out SNI came along to allow multiple SSL certficates to be installed on 1 IP address. The protocol allowing this is SNI. cPanel is quite far behind the rest of the world and browsers in supporting this, however a basic implementation of this is now active in their stable releases. Below I will outline some of the issues I found.
What names should I have in my certificate
Beacause of the way cPanel handles subdomains and parked domains, a type of virtual host, you can only add a single SSL certificate per cPanel account and this only really supports www and non-www names. I have only verified the following occurs with subdomains but there is a high chance it is the same for parked domains.
When you make any HTTPS request to you website/account then the primary domain, with no subdomain, will be served irrespective of the domain name. This mean that only the content from the primary domain name i.e. https://quantumwarp.com/ will be served and by an accident https://www.quatumwarp.com/ would show the same content which is great for most peopel so they can choose between www and no-www version of their site without have ing to worry. https://search.quantumwarp.com/ would also show the content from https://quantumwarp.com/. Another note about this is that if you goto to https://search.quantumwarp.com/ to stop SSL errors, your SSL certificate need search.quantumwarp.com in its alternate names.
cPanel has support for SNI on mail services which is great but after research it onnly uses the primary domain name i.e. https://quantumwarp.com/.cPanel is going to add support for https://mail.quantumwarp.com/ in future versions.
StartSSL recommends that you set the non-www as the common name of your certificate and add the www version next.
What would I do
create a SSL certificate with the following names. This allows for all HTTPS features to work in cPanel.
quantumwarp.com = Common Name
www.quantumwarp.com
Other names
These are just some of my domain name ideas for the day cPanel properly supports SNI for multiple domains on one account.
- quantumwarp.com
- www.quantumwarp.com
- cpanel.quantumwarp.com
- whm.quantumwarp.com
- mail.quantumwarp.com
- webmail.quantumwarp.com
- search.quantumwarp.com
- demo.quantumwarp.com
Notes
- Authentication is required for IMAP, POP3, and SMTP.
- mail.quantumwarp is not allowed. You can use quantumwarp.com.
- You cannot use www.quantumwarp.com for SNI (it is a subdomain)
- you cannot use your own certificate for protected subdomains.
- You can only use your primary domain name for SNI
- sni support www and non-www domains for https
- There are a lot of updates in cpanel 60 ( i think they are adding mail.domain.com support)
- I dont know if SNI uses the common name or the non-www version. Good change it is the common name
- Always use root domain as common name.
- currently there is no support in cpanel for SNI sub domains
- "issue free DV certificates from Comodo" this is getting added in 58/60
- if you use a subdomain with a matching entry in the SSL certificate then when you access in on a https you r main site will display.
- if i just use quantumwarp.com as the common name then there will be no issue with using the subdomain for SNI
- the www domain is an alias of the main site but with the ability to use a vaild https entry much like any other subdomain. https subdomians will never show their own content the main site is always shown.
- only question is, is it the common anme that is used or specifically the non-www entry in which case the common name does not matter. a small issue. ( i could use lambretta innovation to test this at some point as their common name is www version)
You can use SMTP 465 and SSL || SMTP 587, 25, 26 TLS (remember this is starttls)
Horizontal Line
This element can be styled like all others and has preset styles by the browser.
/* hr styling */
hr {
margin: 20px 0;
border: 0;
border-top: 1px solid #eee;
border-bottom: 1px solid #fff;
}
Horizontal Type Line Behind Text
This is a cool little effect where you can put a line behine a title but the text remains unaltered.
EVENTS 2016
CSS
/**
* Horizontal Type Line Behind Text
* https://codepen.io/ericrasch/pen/Irlpm
* Inspired by this discussion @ CSS-Tricks: http://css-tricks.com/forums/topic/css-trick-for-a-horizontal-type-line-behind-text/#post-151970
* Available on jsFiddle: http://jsfiddle.net/ericrasch/jAXXA/
* Available on Dabblet: http://dabblet.com/gist/2045198
* Available on GitHub Gist: https://gist.github.com/2045198
*/
h1.background,
h2.background,
h3.background {
position: relative;
z-index: 1;
}
h1.background:before,
h2.background:before,
h3.background:before {
border-top: 2px solid #00AFB2;
content: "";
margin: 0 auto;
/* this centers the line to the full width specified */
position: absolute;
/* positioning must be absolute here, and relative positioning must be applied to the parent */
top: 50%;
left: 0;
right: 0;
bottom: 0;
width: 95%;
z-index: -1;
}
h1.background span,
h2.background span,
h3.background span {
/* to hide the lines from behind the text, you have to set the background color the same as the container */
background: #fff;
padding: 0 15px;
}
/* homepage CTA - how can we help */
.jsn-homepage h3.background:before {
border-top: 2px solid #fff;
}
.jsn-homepage h3.background span {
background: #00AFB2;
}
/* About page - Main content */
.jsn-itemid-344 h2.background.benefits span {
background: #EFE9DE;
}
/* I dont think i need this */
h1.double:before,
h2.double:before {
/* this is just to undo the :before styling from above */
border-top: none;
}
h1.double:after,
h2.double:after {
border-bottom: 1px solid blue;
-webkit-box-shadow: 0 1px 0 0 red;
-moz-box-shadow: 0 1px 0 0 red;
box-shadow: 0 1px 0 0 red;
content: "";
margin: 0 auto;
/* this centers the line to the full width specified */
position: absolute;
top: 45%;
left: 0;
right: 0;
width: 95%;
z-index: -1;
}
h1.no-background,
h2.no-background {
position: relative;
overflow: hidden;
}
h1.no-background span,
h2.no-background span {
display: inline-block;
vertical-align: baseline;
zoom: 1;
*display: inline;
*vertical-align: auto;
position: relative;
padding: 0 20px;
}
h1.no-background span:before,
h1.no-background span:after,
h2.no-background span:before,
h2.no-background span:after {
content: '';
display: block;
width: 1000px;
position: absolute;
top: 0.73em;
border-top: 1px solid red;
}
h1.no-background span:before,
h2.no-background span:before {
right: 100%;
}
h1.no-background span:after,
h2.no-background span:after {
left: 100%;
}
h1.no-span,
h2.no-span {
display: table;
white-space: nowrap;
}
h1.no-span:before,
h1.no-span:after,
h2.no-span:before,
h2.no-span:after {
border-top: 1px solid green;
content: '';
display: table-cell;
position: relative;
top: 0.5em;
width: 45%;
}
h1.no-span:before,
h2.no-span:before {
right: 1.5%;
}
h1.no-span:after,
h2.no-span:after {
left: 1.5%;
}
HTML
<h1 class="background" style="text-align: center;"><span>EVENTS 2016</span></h1>
Sepia Grid Gallery
This is a simple gallery I created using JCE Editor. It uses pure HTML and Javascipt so the editor is not required but makes building a easier.
Notes:
- I RSFirewall eats the code.
- Gap in between images
- If you put the <img> declarations on different lines like in the code below you will get gaps between the images.
- A simple solution is to put all of the <img> on the same line
- You could use floats
- There might be other solutions out there, but I have not tried them
HTML
<p style="max-width: 960px; margin: auto auto;">
<img src="/images/kb/2017/870/cat-whiskers-kitty-tabby.jpg" alt="cat" onmouseover="this.src='/images/kb/2017/870/cat-whiskers-kitty-tabby-rollover.jpg';" onmouseout="this.src='/images/kb/2017/870/cat-whiskers-kitty-tabby.jpg';" />
<img src="/images/kb/2017/870/cat-whiskers-kitty-tabby.jpg" alt="cat" onmouseover="this.src='/images/kb/2017/870/cat-whiskers-kitty-tabby-rollover.jpg';" onmouseout="this.src='/images/kb/2017/870/cat-whiskers-kitty-tabby.jpg';" />
<img src="/images/kb/2017/870/cat-whiskers-kitty-tabby.jpg" alt="cat" onmouseover="this.src='/images/kb/2017/870/cat-whiskers-kitty-tabby-rollover.jpg';" onmouseout="this.src='/images/kb/2017/870/cat-whiskers-kitty-tabby.jpg';" />
<img src="/images/kb/2017/870/kitten-green-eyes-grass.jpg" alt="cat" onmouseover="this.src='/images/kb/2017/870/kitten-green-eyes-grass-rollover.jpg';" onmouseout="this.src='/images/kb/2017/870/kitten-green-eyes-grass.jpg';" />
<img src="/images/kb/2017/870/kitten-green-eyes-grass.jpg" alt="cat" onmouseover="this.src='/images/kb/2017/870/kitten-green-eyes-grass-rollover.jpg';" onmouseout="this.src='/images/kb/2017/870/kitten-green-eyes-grass.jpg';" />
<img src="/images/kb/2017/870/kitten-green-eyes-grass.jpg" alt="cat" onmouseover="this.src='/images/kb/2017/870/kitten-green-eyes-grass-rollover.jpg';" onmouseout="this.src='/images/kb/2017/870/kitten-green-eyes-grass.jpg';" />
</p>
Square Grid
Responsive 4 x 4 Grid with centered images. This is a square grid made up of 4 segments. Each has an image and a block of text.
Float Method (Fully Working)
This only works properly if bootstrap is present. Bootstrap allows the images to resize dynamically and the square block collapses into a single column.
We provide Chauffeurs
- For Individual Journeys
- On Contract for Corporate Clients
- On Relief - Cover for when your Chauffeur is unavailable
- Please enquire about our Corporate Rates and Chauffeur Placement service.
- Please enquire about our Chauffeur and Executive Car service.
- Please see HERE for the benefits of using Car Company for your business needs
The Method is Simple
We will open an account in your company's name and make the booking for the day and time required. We would appreciate 24 hours notice, whenever possible.
The chauffeur will arrive at your designated pick-up point in his own car and will be available to drive you in your car for as long as you wish.
We charge a flat rate per hour, this remains the same irrespective of unsocial hours, weekends and bank holidays.
There is a call out charge of £15 per trip and a minimum charge per trip of 5 hours.
Our Car Company Chauffeurs: Are Uniformed, Are over 30 years old, Have clean driving licences, have been individually tested by a Class 1 Police experienced officer, are experienced in chauffeuring Rolls Royce, Jaguar, Mercedes Benz and all other marques of vehicles.
HTML
<h2 style="text-align: center;">We provide Chauffeurs</h2>
<div class="float-parent" style="display: table; margin: auto;">
<div style="float: left; margin: 5px; max-width: 400px;">
<ul>
<li>For Individual Journeys</li>
<li>On Contract for Corporate Clients</li>
<li>On Relief - Cover for when your Chauffeur is unavailable</li>
<li>Please enquire about our Corporate Rates and Chauffeur Placement service.</li>
<li>Please enquire about our Chauffeur and Executive Car service.</li>
<li>Please see HERE for the benefits of using Car Company for your business needs</li>
</ul>
</div>
<div style="float: left; margin: 5px;">
<img src="/images/kb/2017/869/cat-whiskers-kitty-tabby.jpg" alt="Business people working in backseat of car" style="min-width: 200px; padding: 10px;" />
</div>
</div>
<h2 style="text-align: center;">The Method is Simple</h2>
<div class="float-parent" style="display: table; margin: auto;">
<div style="float: left; margin: 5px;">
<img src="/images/kb/2017/869/kitten-green-eyes-grass.jpg" alt="Female CEO working inside car" style="padding: 10px;" />
</div>
<div style="float: left; margin: 5px; max-width: 400px;">
<p>We will open an account in your company's name and make the booking for the day and time required. We would appreciate 24 hours notice, whenever possible.</p>
<p>The chauffeur will arrive at your designated pick-up point in his own car and will be available to drive you in your car for as long as you wish.</p>
<p>We charge a flat rate per hour, this remains the same irrespective of unsocial hours, weekends and bank holidays.</p>
<p>There is a call out charge of £15 per trip and a minimum charge per trip of 5 hours.</p>
<p>Our Car Company Chauffeurs: Are Uniformed, Are over 30 years old, Have clean driving licences, have been individually tested by a Class 1 Police experienced officer, are experienced in chauffeuring Rolls Royce, Jaguar, Mercedes Benz and all other marques of vehicles.</p>
</div>
</div>
All the following code is for reference only but might be useful for fault finding
Float method with borders (same as above but with visual aids)
This is exactly the same as above but demostrates how the floating works.
We provide Chauffeurs:
- For Individual Journeys
- On Contract for Corporate Clients
- On Relief - Cover for when your Chauffeur is unavailable
- Please enquire about our Corporate Rates and Chauffeur Placement service.
- Please enquire about our Chauffeur and Executive Car service.
- Please see HERE for the benefits of using Car Company for your business needs
The Method is Simple
We will open an account in your company's name and make the booking for the day and time required. We would appreciate 24 hours notice, whenever possible.
The chauffeur will arrive at your designated pick-up point in his own car and will be available to drive you in your car for as long as you wish.
We charge a flat rate per hour, this remains the same irrespective of unsocial hours, weekends and bank holidays.
There is a call out charge of £15 per trip and a minimum charge per trip of 5 hours.
Our Car Company Chauffeurs: Are Uniformed, Are over 30 years old, Have clean driving licences, Have been individually tested by a Class 1 Police experienced officer, are experienced in chauffeuring Rolls Royce, Jaguar, Mercedes Benz and all other marques of vehicles. Please call 01344 887 439 or 01189 401 880 for more information.
Thank you for your interest. The Car Company Team.
HTML
<h2>We provide Chauffeurs:</h2>
<div class="float-parent" style="display: table; margin: auto; border: green 3px solid;">
<div style="float: left; margin: 5px; max-width: 400px; border: blue 3px solid;">
<ul>
<li>For Individual Journeys</li>
<li>On Contract for Corporate Clients</li>
<li>On Relief - Cover for when your Chauffeur is unavailable</li>
<li>Please enquire about our Corporate Rates and Chauffeur Placement service.</li>
<li>Please enquire about our Chauffeur and Executive Car service.</li>
<li>Please see HERE for the benefits of using Car Company for your business needs</li>
</ul>
</div>
<div style="float: left; margin: 5px; border: blue 3px solid;">
<img src="/images/kb/2017/869/cat-whiskers-kitty-tabby.jpg" alt="Business people working in backseat of car" style="min-width: 200px; padding: 10px;" />
</div>
</div>
<h2>The Method is Simple</h2>
<div class="float-parent" style="display: table; margin: auto; border: green 3px solid;">
<div style="float: left; margin: 5px; border: blue 3px solid;">
<img src="/images/kb/2017/869/kitten-green-eyes-grass.jpg" alt="Female CEO working inside car" style="padding: 10px;" />
</div>
<div style="float: left; margin: 5px; max-width: 400px; border: blue 3px solid;">
<p>We will open an account in your company's name and make the booking for the day and time required. We would appreciate 24 hours notice, whenever possible.</p>
<p>The chauffeur will arrive at your designated pick-up point in his own car and will be available to drive you in your car for as long as you wish.</p>
<p>We charge a flat rate per hour, this remains the same irrespective of unsocial hours, weekends and bank holidays.</p>
<p>There is a call out charge of £15 per trip and a minimum charge per trip of 5 hours.</p>
<p>Our Car Company Chauffeurs: Are Uniformed, Are over 30 years old, Have clean driving licences, Have been individually tested by a Class 1 Police experienced officer, are experienced in chauffeuring Rolls Royce, Jaguar, Mercedes Benz and all other marques of vehicles. Please call 01344 887 439 or 01189 401 880 for more information.</p>
<p>Thank you for your interest. The Car Company Team.</p>
</div>
</div>
Inline method
Working inline version of the Square Block. Centered, no floats, text all looks nice except the images end up at the bottom and not centered.
HTML
<div style="text-align: center;">
<div style="overflow: hidden;">
<div style="display: inline-block; overflow: hidden; min-width: 200px; max-width: 450px; padding: 10px; text-align: justify;">
<h2>We provide Chauffeurs:</h2>
<ul>
<li>For Individual Journeys</li>
<li>On Contract for Corporate Clients</li>
<li>On Relief - Cover for when your Chauffeur is unavailable</li>
<li>Please enquire about our Corporate Rates and Chauffeur Placement service.</li>
<li>Please enquire about our Chauffeur and Executive Car service.</li>
<li>Please see HERE (link to who we are benefits section) the benefits of using Car Company for your business needs</li>
</ul>
</div>
<img src="/images/kb/2017/869/cat-whiskers-kitty-tabby.jpg" alt="Business people working in backseat of car" style="min-width: 200px; padding: 10px;" />
</div>
<div style="overflow: hidden;">
<div style="display: inline-block; max-height: 450px; min-width: 200px; max-width: 450px;">
<img src="/images/kb/2017/869/kitten-green-eyes-grass.jpg" alt="Female CEO working inside car" style="padding: 10px;" />
</div>
<div style="display: inline-block; overflow: hidden; min-width: 200px; max-width: 450px; padding: 10px; text-align: justify;">
<h2>The Method is Simple</h2>
<p>We will open an account in your company's name and make the booking for the day and time required. We would appreciate 24 hours notice, whenever possible.</p>
<p>The chauffeur will arrive at your designated pick-up point in his own car and will be available to drive you in your car for as long as you wish.</p>
<p>We charge a flat rate per hour, this remains the same irrespective of unsocial hours, weekends and bank holidays.</p>
<p>There is a call out charge of £15 per trip and a minimum charge per trip of 5 hours.</p>
<p>Our Car Company Chauffeurs: Are Uniformed, Are over 30 years old, Have clean driving licences, Have been individually tested by a Class 1 Police experienced officer, are experienced in chauffeuring Rolls Royce, Jaguar, Mercedes Benz and all other marques of vehicles. Please call 01344 887 439 or 01189 401 880 for more information.</p>
<p>Thank you for your interest. The Car Company Team.</p>
</div>
</div>
</div>
Inline version with fix
This is the same as the inline code above but with me trying to apply the vertical image fix with the code from JSFiddle. The fix is not working on my demo.
CSS
/* https://jsfiddle.net/hashem/46psK/ Image fix section */
.responsive-container {
position: relative;
width: 100%;
/*border: 1px solid black;*/
}
.responsive-container .dummy {
padding-top: 100%; /* forces 1:1 aspect ratio */
}
.responsive-container .img-container {
position: absolute;
top: 0;
bottom: 0;
left: 0;
right: 0;
text-align:center; /* Align center inline elements */
font: 0/0 a;
}
.responsive-container .img-container:before {
content: ' ';
display: inline-block;
vertical-align: middle;
height: 100%;
}
.responsive-container .img-container img {
vertical-align: middle;
display: inline-block;
}
HTML
<div style="text-align: center;">
<div style="overflow: hidden;">
<div style="display: inline-block; overflow: hidden; min-width: 200px; max-width: 450px; padding: 10px; text-align: justify;">
<h2>We provide Chauffeurs:</h2>
<ul>
<li>For Individual Journeys</li>
<li>On Contract for Corporate Clients</li>
<li>On Relief - Cover for when your Chauffeur is unavailable</li>
<li>Please enquire about our Corporate Rates and Chauffeur Placement service.</li>
<li>Please enquire about our Chauffeur and Executive Car service.</li>
<li>Please see HERE (link to who we are benefits section) the benefits of using Car Company for your business needs</li>
</ul>
</div>
<div class="responsive-container" style="display: inline-block; min-width: 200px; max-width: 450px; max-height: 450px;">
<div class="dummy"></div>
<div class="img-container">
<img src="/images/kb/2017/869/cat-whiskers-kitty-tabby.jpg" alt="Business people working in backseat of car" style="min-width: 200px; padding: 10px;" />
</div>
</div>
</div>
<div style="overflow: hidden;">
<div class="responsive-container" style="display: inline-block; min-width: 200px; max-width: 450px; max-height: 450px;">
<div class="dummy"></div>
<div class="img-container">
<img src="/images/kb/2017/869/kitten-green-eyes-grass.jpg" alt="Female CEO working inside car" style="padding: 10px;" />
</div>
</div>
<div style="display: inline-block; overflow: hidden; min-width: 200px; max-width: 450px; padding: 10px; text-align: justify;">
<h2>The Method is Simple</h2>
<p>We will open an account in your company's name and make the booking for the day and time required. We would appreciate 24 hours notice, whenever possible.</p>
<p>The chauffeur will arrive at your designated pick-up point in his own car and will be available to drive you in your car for as long as you wish.</p>
<p>We charge a flat rate per hour, this remains the same irrespective of unsocial hours, weekends and bank holidays.</p>
<p>There is a call out charge of £15 per trip and a minimum charge per trip of 5 hours.</p>
<p>Our Car Company Chauffeurs: Are Uniformed, Are over 30 years old, Have clean driving licences, Have been individually tested by a Class 1 Police experienced officer, are experienced in chauffeuring Rolls Royce, Jaguar, Mercedes Benz and all other marques of vehicles. Please call 01344 887 439 or 01189 401 880 for more information.</p>
<p>Thank you for your interest. The Car Company Team.</p>
</div>
</div>
</div>
Inline Method - CSS Version
This uses both parts of the CSS script and is all set by the CSS. This looks different in a normal HTML file.
We provide Chauffeurs:
- For Individual Journeys
- On Contract for Corporate Clients
- On Relief - Cover for when your Chauffeur is unavailable
- Please enquire about our Corporate Rates and Chauffeur Placement service.
- Please enquire about our Chauffeur and Executive Car service.
- Please see HERE (link to who we are benefits section) the benefits of using Car Company for your business needs
The Method is Simple
We will open an account in your company's name and make the booking for the day and time required. We would appreciate 24 hours notice, whenever possible.
The chauffeur will arrive at your designated pick-up point in his own car and will be available to drive you in your car for as long as you wish.
We charge a flat rate per hour, this remains the same irrespective of unsocial hours, weekends and bank holidays.
There is a call out charge of £15 per trip and a minimum charge per trip of 5 hours.
Our Car Company Chauffeurs: Are Uniformed, Are over 30 years old, Have clean driving licences, Have been individually tested by a Class 1 Police experienced officer, are experienced in chauffeuring Rolls Royce, Jaguar, Mercedes Benz and all other marques of vehicles. Please call 01344 887 439 or 01189 401 880 for more information.
Thank you for your interest. The Car Company Team.
CSS
/*-- Square Block - Responsive 4 x 4 Grid with centered images --*/
.square-grid {text-align: center;}
.square-grid .square-grid-row {overflow: hidden;}
.square-grid .square-grid-image {
display: inline-block;
max-height: 450px;
min-width: 200px;
max-width: 450px;
}
.square-grid .square-grid-content {
display: inline-block;
overflow: hidden;
min-width: 200px;
max-width: 450px;
padding: 10px;
text-align: left;
}
.square-grid .square-grid-content ul {
display: table;
}
/* https://jsfiddle.net/hashem/46psK/ Image fix section */
.responsive-container {
position: relative;
width: 100%;
/*border: 1px solid black;*/
}
.responsive-container .dummy {
padding-top: 100%; /* forces 1:1 aspect ratio */
}
.responsive-container .img-container {
position: absolute;
top: 0;
bottom: 0;
left: 0;
right: 0;
text-align:center; /* Align center inline elements */
font: 0/0 a;
}
.responsive-container .img-container:before {
content: ' ';
display: inline-block;
vertical-align: middle;
height: 100%;
}
.responsive-container .img-container img {
vertical-align: middle;
display: inline-block;
}
HTML
<div class="square-grid">
<div class="square-grid-row">
<div class="square-grid-content">
<h2>We provide Chauffeurs:</h2>
<ul>
<li>For Individual Journeys</li>
<li>On Contract for Corporate Clients</li>
<li>On Relief - Cover for when your Chauffeur is unavailable</li>
<li>Please enquire about our Corporate Rates and Chauffeur Placement service.</li>
<li>Please enquire about our Chauffeur and Executive Car service.</li>
<li>Please see HERE (link to who we are benefits section) the benefits of using Car Company for your business needs</li>
</ul>
</div>
<div class="square-grid-image">
<div class="dummy"></div>
<div class="img-container">
<img src="/images/kb/2017/869/cat-whiskers-kitty-tabby.jpg" alt="Business people working in backseat of car" style="padding: 10px;" />
</div>
</div>
</div>
<div class="square-grid-row">
<div class="square-grid-image">
<div class="dummy"></div>
<div class="img-container">
<img src="/images/kb/2017/869/kitten-green-eyes-grass.jpg" alt="Female CEO working inside car" style="padding: 10px;" />
</div>
</div>
<div class="square-grid-content">
<h2>The Method is Simple</h2>
<p>We will open an account in your company's name and make the booking for the day and time required. We would appreciate 24 hours notice, whenever possible.</p>
<p>The chauffeur will arrive at your designated pick-up point in his own car and will be available to drive you in your car for as long as you wish.</p>
<p>We charge a flat rate per hour, this remains the same irrespective of unsocial hours, weekends and bank holidays.</p>
<p>There is a call out charge of £15 per trip and a minimum charge per trip of 5 hours.</p>
<p>Our Car Company Chauffeurs: Are Uniformed, Are over 30 years old, Have clean driving licences, Have been individually tested by a Class 1 Police experienced officer, are experienced in chauffeuring Rolls Royce, Jaguar, Mercedes Benz and all other marques of vehicles. Please call 01344 887 439 or 01189 401 880 for more information.</p>
<p>Thank you for your interest. The Car Company Team.</p>
</div>
</div>
</div>
Joomlashine Grid Method
This will not work unless you use a joomlashine template (v1)
We provide Chauffeurs:
- For Individual Journeys
- On Contract for Corporate Clients
- On Relief - Cover for when your Chauffeur is unavailable
- Please enquire about our Corporate Rates and Chauffeur Placement service.
- Please enquire about our Chauffeur and Executive Car service.
- Please see HERE (link to who we are benefits section) the benefits of using Car Company for your business needs
The Method is Simple
We will open an account in your company's name and make the booking for the day and time required. We would appreciate 24 hours notice, whenever possible.
The chauffeur will arrive at your designated pick-up point in his own car and will be available to drive you in your car for as long as you wish.
We charge a flat rate per hour, this remains the same irrespective of unsocial hours, weekends and bank holidays.
There is a call out charge of £15 per trip and a minimum charge per trip of 5 hours.
Our Car Company Chauffeurs: Are Uniformed, Are over 30 years old, Have clean driving licences, Have been individually tested by a Class 1 Police experienced officer, are experienced in chauffeuring Rolls Royce, Jaguar, Mercedes Benz and all other marques of vehicles. Please call 01344 887 439 or 01189 401 880 for more information.
Thank you for your interest. The Car Company Team.
HTML
<div class="grid-layout">
<div>
<div style="display: inline-block; min-width: 250px; height: 300px; padding: 10px;">
<h2>We provide Chauffeurs:</h2>
<ul>
<li>For Individual Journeys</li>
<li>On Contract for Corporate Clients</li>
<li>On Relief - Cover for when your Chauffeur is unavailable</li>
<li>Please enquire about our Corporate Rates and Chauffeur Placement service.</li>
<li>Please enquire about our Chauffeur and Executive Car service.</li>
<li>Please see HERE (link to who we are benefits section) the benefits of using Car Company for your business needs</li>
</ul>
</div>
</div>
<div>
<div style="display: inline-block; min-width: 250px; height: 300px; padding: 10px;">
<img src="/images/kb/2017/869/cat-whiskers-kitty-tabby.jpg" alt="Business people working in backseat of car" style="margin: 10px;" />
</div>
</div>
</div>
<div class="grid-layout">
<div>
<div style="display: inline-block; min-width: 250px; height: 300px; padding: 10px;">
<img src="/images/kb/2017/869/kitten-green-eyes-grass.jpg" alt="Female CEO working inside car" style="margin: 10px;" />
</div>
</div>
<div>
<div style="display: inline-block; min-width: 250px; height: 300px; padding: 10px;">
<h2>The Method is Simple</h2>
<p>We will open an account in your company's name and make the booking for the day and time required. We would appreciate 24 hours notice, whenever possible.</p>
<p>The chauffeur will arrive at your designated pick-up point in his own car and will be available to drive you in your car for as long as you wish.</p>
<p>We charge a flat rate per hour, this remains the same irrespective of unsocial hours, weekends and bank holidays.</p>
<p>There is a call out charge of £15 per trip and a minimum charge per trip of 5 hours.</p>
<p>Our Car Company Chauffeurs: Are Uniformed, Are over 30 years old, Have clean driving licences, Have been individually tested by a Class 1 Police experienced officer, are experienced in chauffeuring Rolls Royce, Jaguar, Mercedes Benz and all other marques of vehicles. Please call 01344 887 439 or 01189 401 880 for more information.</p>
<p>Thank you for your interest. The Car Company Team.</p>
</div>
</div>
</div>
Float and Overflow Method
This does work but the images are not neat (DOES WORK)
HTML
<div>
<div style="overflow: hidden;">
<img src="/images/kb/2017/869/cat-whiskers-kitty-tabby.jpg" alt="Business people working in backseat of car" style="float: right; min-width: 200px; min-height: 300px; padding: 10px;" />
<div style="overflow: hidden; min-width: 200px; max-width: 450px; min-height: 300px; padding: 10px;">
<h2>We provide Chauffeurs:</h2>
<ul>
<li>For Individual Journeys</li>
<li>On Contract for Corporate Clients</li>
<li>On Relief - Cover for when your Chauffeur is unavailable</li>
<li>Please enquire about our Corporate Rates and Chauffeur Placement service.</li>
<li>Please enquire about our Chauffeur and Executive Car service.</li>
<li>Please see HERE (link to who we are benefits section) the benefits of using Car Company for your business needs</li>
</ul>
</div>
</div>
<div style="clear: both;"> </div>
<div style="overflow: hidden;">
<img src="/images/kb/2017/869/kitten-green-eyes-grass.jpg" alt="Female CEO working inside car" style="float: left; min-width: 200px; min-height: 300px; padding: 10px;" />
<div style="overflow: hidden; min-width: 200px; max-width: 450px; min-height: 300px; padding: 10px;">
<h2>The Method is Simple</h2>
<p>We will open an account in your company's name and make the booking for the day and time required. We would appreciate 24 hours notice, whenever possible.</p>
<p>The chauffeur will arrive at your designated pick-up point in his own car and will be available to drive you in your car for as long as you wish.</p>
<p>We charge a flat rate per hour, this remains the same irrespective of unsocial hours, weekends and bank holidays.</p>
<p>There is a call out charge of £15 per trip and a minimum charge per trip of 5 hours.</p>
<p>Our Car Company Chauffeurs: Are Uniformed, Are over 30 years old, Have clean driving licences, Have been individually tested by a Class 1 Police experienced officer, are experienced in chauffeuring Rolls Royce, Jaguar, Mercedes Benz and all other marques of vehicles. Please call 01344 887 439 or 01189 401 880 for more information.</p>
<p>Thank you for your interest. The Car Company Team.</p>
</div>
</div>
</div>
Empty large database tables in Prestashop
Some tables get really big and some of them can be emptied easily. This helps your store to run better.
There are 2 plugins that makes like a lot easier
- PrestaShop database optimization module - clean up your db! (Recommend) - This module is great tool to clean up store database. Use this free addon and decrease your website load time. How it works? PrestaShop store a lot of unnecessary informations in database, this module allows to clean all unwanted informations, like abandoned carts, connections informations, guests informations etc. Remember that it removing stats. Sometimes these tables have got a lot of informations, just clean them with this free addon!. You can delete all of the large tables in Prestashop database (PS v1.4 - v1.6)
- Delete connections - Prestashop module - This module increase your site speed deleting and optimizing the database in the tables connections, connections_source, connections page, cart, etc. This module is usefull when you have a lot of visits and the size of these tables are too big. To save space, you can use this module whitout any problem (your server can suspend your account if your database is too big in shared hostings). Now optimizes all tables and delete the abandoned carts of visitors to save space and delete expired vouchers to save database space, and clear the smarty files in the database (PS 1.6+). Supports (PS v1.2 - v1.6).
Notes
Statistics Tables
_page_viewed _pagenotfound
You need to uninstall the stats module before emptying these, there should be a retain period setting
Manual Table Deletion
I have not tried this and it is the hard way of doing things. A user has used this SQL query to clean his database (possibly taken from one of the links below)
TRUNCATE TABLE `ps_connections`; TRUNCATE TABLE `ps_connections_page`; TRUNCATE TABLE `ps_connections_source`; TRUNCATE TABLE `ps_page_viewed`; TRUNCATE TABLE `ps_guest`;
Links
- Delete conenctions / Optimize database - Prestashop Module - YouTube
- Can we truncate 'pagenotfound' and guest table? - Free Modules & Themes - PrestaShop
- [SOLVED] what if empty ps_connections and it source tables - Ecommerce x PrestaShop [ARCHIVE BOARD] - PrestaShop
- table ps_connections_page and ps_connections, can i empty them? - Ecommerce x PrestaShop [ARCHIVE BOARD] - PrestaShop
AllVideos
To set the max-width of AllVideos video output ( a bit of a hack but works for me)
- i downloaded latest version v4.8.0 from github
- the iframe does not alter anything
- the video size is controlled by the wrapping <div>s in particular "avPlayerContainer"
- the output template is allvideos-master/plugin/jw_allvideos/tmpl/Responsive/default.php
- in the responsive template I changed
<div class="avPlayerContainer">
to<div class="avPlayerContainer" style="max-width:<?php echo $output->playerWidth; ?>px;">
This is an example of the new code in action
<div class="avPlayerWrapper avVideo">
<div class="avPlayerContainer" style="max-width:600px;">
<div id="AVPlayerID_0_80667a8ddd8d0d2ed351d74c3990d3c1" class="avPlayerBlock">
<iframe src="https://www.youtube.com/embed/DVbDgMh5lj4?rel=0&fs=1&wmode=transparent&autoplay=1" allowfullscreen="" title="JoomlaWorks AllVideos Player" width="600" height="450" frameborder="0"></iframe>
</div>
</div>
</div>
<!-- JoomlaWorks "AllVideos" Plugin (v4.8.0) ends here--> RSFirewall - Active Scanner updated documentation
Data added from extensions.joomla.org and the FAQ config page for active scanner.
- created file inclusion section
- moved filter javascript below the get/ post box as it makes more logical sense
- added DoS to the denial of service title
- changed SQL Protections to SQL injection Protections (SQLi)
- renamed JS Protections --> HTML, Javascript and CSS Protections (XSS)
- rename Uploads --> File Uploads
General
From our point of view the default settings are a balanced configuration for most Joomla! Installations. However I would encourage you to go through the settings and make your own choices.
Enable Active Scanner
By enabling the Active Scanner all the protections will be enabled on your Joomla! website.
Enable Active Scanner in the /administrator section
By setting this to Yes the PHP, JS and SQL protections will be triggered in the backend as well. This should only be enabled if you don't trust people that have access to your /administrator section.
This is useful if you don't trust people that have access to your administration from making mistakes or uploading malicious code.
Log All blocked attempts
By setting this to Yes, every single attempt that's stopped by RSFirewall! will be logged. This is useful for debugging your website in case you have false alerts. We recommend setting this to No once you are done so that automated attacks don't fill your log.
Remove the Joomla! generator meta tag
Removing the generator meta tag from your website's template will protect you from spambots or attackers that target Joomla! Websites. This will also prevent some prevent 3rd parties working out what CMS platform you are running for further attacks. This does not prevent fingerprinting attacks but is a good start to stop script kiddies.
Convert email addresses from plain text to images
This setting will convert all email addresses from plain text to images, in the same way as the Email Cloaking plugin will convert them to Javascript.
Joomlas inbuilt Email Cloaking Plugin is enabled by default that obfuscates email addresses by using Javascript but there might be times where it does not work or that a hacker can get around the prevention method. If an email is changed to an image hackers will not be able to read the emails addresses by using scripts so this is a very secure method of preventing scraping of your email addresses whilst still being able to display them to visitors.
Check core Joomla! Files integrity
Checks a few core Joomla! files for integrity, like the Joomla! login and index.php
This is a key feature of the active scanner and should always be used. Whenever your site is accessed RSFirewall will check the core Joomla! Files that have been accessed during the request to make sure their hashes match the internal hash database of RSFirewall which checks to see if they have been altered. This adds a proactive protection to your site allows you to stop a hack attempt at an early stage.
Monitor the following files for changes
If any of the following files will be changed, you will be alerted by email (if configured) and an entry will be posted in the System Log.
This section allows you to add your own files that you want to monitor for changes, such as your template files. If you want a suggestion for suitable files to monitor use the following as an example:
- /home/ myaccount /public_html/index.php
- /home/ myaccount /public_html/configuration.php
- /home/ myaccount /public_html/.htaccess
- /home/quanta/ myaccount /administrator/index.php
- /home/myaccount/public_html/templates/my_template/index.php
Open File Manager
This opens a modal box with a file browser that allows you to select what files you want to monitor. This is optional as you can manually adding the files to the list.
Grab IP from Proxy Headers
Some servers are behind a proxy or firewall and will not provide the correct IP. If this is your case, contact the proxy provider and ask them through what header are they sending the real IP. Otherwise just leave these all checked by default and RSFirewall! will attempt to grab the IP by looking through all of them.
System Protections
by default the following is set
PHP Protections - enable protections for (GET)
SQL Protections - enable protections for (GET)
JS Protections - enable protections for (POST)
why are, (POST),(POST),(GET) respectivly not turned on by default. Am I not fully protect without these or if i turn them on will it break my site?
If you are using a standard Joomla! installation, then use the standard active scanner settings provided by RSFirewall!.
The reason why $_POST is not enabled for the PHP or SQL sections is that standard Joomla! article, or module editing work with $_POST. Having this enabled would increase the chances of raising false positives, blocking the legitimate actions that are being performed. If you have tight control on the users that are allowed to perform such actions (or if these actions are performed only in the backend for example) you won't be needing to perform checks on the $_POST variable. Keep in mind that $_GET related attacks are more frequent then $_POST ones as well.
File Inclusion (LFI / RFI)
The File Inclusion settings should be left on unless you really need to turn them off for debugging or running some of your custom code. Well written extensions will not require LFI/RFI to work.
Local file inclusion (LFI)
This disallows directory traversal techniques (such as controller=../../../etc/passwd) that might allow an attacker to read sensitive files by exploiting poorly coded extensions.
Remote file inclusion (RFI)
This disallows access to URLs (such as controller=http://www.malicious-site.com/exploit.txt) that might allow an attacker to download and run malicious scripts by exploiting poorly coded extensions.
PHP (PHP)
Enable protections for
Inspect the selected system variables for PHP injections.
- Form data ($_POST) enables filtering for information submitted through forms (eg. article editing, user registration etc)
- URL data (_$GET) enables filtering for variables that are located in the URL (eg. http://www.yoursite.com/index.php?option=com_test¶meter1=value1)
PHP $_POST and $_GET Defaults
- Default = $_GET only
- PHP $_POST should be on by default
SQL injection (SQLi)
Enable protections for
Inspect the selected system variables for SQL injections.
- Form data ($_POST) enables filtering for information submitted through forms (eg. article editing, user registration etc)
- URL data ($_GET) enables filtering for variables that are located in the URL (eg. http://www.yoursite.com/index.php?option=com_test¶meter1=value1)
SQL $_POST and $_GET Defaults
- Default = $_GET only
- Should $_POST be on?
HTML, Javascript and CSS (XSS)
Enable protections for
Inspect the selected system variables for XSS/JS injections.
- Form data ($_POST) enables filtering for information submitted through forms (eg. article editing, user registration etc)
- URL data ($_GET) enables filtering for variables that are located in the URL (eg. http://www.yoursite.com/index.php?option=com_test¶meter1=value1)
JS $_POST and $_GET Defaults
- Default = $_GET only
- JS $_POST should be on by default
- still not sure why having SQL $_POST will cause issues
- they leave the deafult installation as it to reduce false positives but this also reducves security. notes should be made when to turn the other option on.
Filter Javascript
By setting this to Yes, the Javascript will be filtered instead of the connection being dropped.
File Uploads ($_FILES)
Every file upload that is being performed, ends up in the $_FILES variable. RSFirewall! checks this particular variable for attack vectors as well.
Filter Uploads
By settings this to Yes, the uploads will be deleted instead of the connection being dropped.
Filter uploads by deleting the file(s) instead of the connection being dropped. This alloes data still to be accepted but delete the potential malicious file which is better for customer interaction.
Check for multiple file extensions
Uploading files with multiple extensions might trick you or any other user that the file has a safe extension.
Verify if uploaded files have multiple extensions
Check for known malware
Verify uploaded files for known malware patterns, such as PHP shell scripts.
Banned Extensions
Files with the following extensions will be deleted as soon as they've been uploaded to the temporary directory on your server. If you enable the "Multiple extensions check", this will check all the files extensions, as opposed to the last one.
Don't upload files with the configured list of banned extensions
Access Control
Denial of Service (DoS)
Deny access to the following User Agents
Select the User Agents you want to prevent from accessing your site.
The following User Agents are usually automated requests to your website and should not be allowed.
- empty User Agents are usually DoS attack attempts or automated connections to your website
- perl scripts are used for automated connections to your website
- cURL is used for automated connections to your website
- Java performs automated connections as well
Protect against DoS (Denial of Service) attacks for User Agents (perl, cURL, Java or empty User Agents)
Protect forms from abusive IPs
Enabling this option will protect your forms from abusive IPs by checking if they exist in a PBL list.
Protect forms from abusive IPs - checks if IPs of form submitters exist in the Spamhaus XBL and SBL lists.
If the IP is in a PBL then the submission will be blocked.
Deny access to the following referrers
Referers are visitors coming from another website (domain). You can block multiple domains by specifying them each on a new line. You can also use wildcards, such as *.domain.com which will block any requests coming from all subdomains of domain.com (eg. www.domain.com, images.domain.com etc). Remember to add domain.com to the list as well, otherwise only subdomains will be blocked when using wildcards. You can also use wildcards anywhere in the domain name, eg. blocked-domain.*, blocked*domain.com
Deny access to the following referers - Referers are visitors coming from another website(domain). You can block multiple domains by specifying them each on a new line. You can also use wildcards, such as *.domain.com which will block any request coming from all subdomains of domain.com(e.g www.domain.com, images.domain.com etc.).
Automatic Blacklisting
Automatic blacklisting
Automatic blacklisting will automatically add to the blacklist repeat offenders based on the minimum number of attempts specified below.
Enable automatic blacklisting(even for the backend login): if repeated threats are detected with the same IP address, this will automatically be added to the Blacklist area
Automatic blacklisting for /administrator login
With this option enabled, failed backend logins will lead to an automatic ban. This option is independent from the CAPTCHA challenge configurable below.
Same as above but for the admin area
# of attempts
This is the minimum number of attempts before the attacker will be added to the blacklist and banned from your website.
CAPTCHA
Enable CAPTCHA
This will prompt a CAPTCHA security code in the /administrator section. CAPTCHA will appear after the number of failed login attempts you specify below.
# of failed attempts
Activate CAPTCHA after this number of failed login attempts a CAPTCHA will show up in the /administrator section login page.
Backend Login
Capture login attempts
By enabling this, everytime a user fails to login in the /administrator section will trigger an event in the System Logs.
Store Passwords
Set whether to store the passwords used in the failed login attempts or not.
Lockdown
Protect the following users from any changes
This will create a snapshot of the selected users. If any changes will happen to any of them, it will get reverted back immediately. If you want to update your snapshot, you will have to deselect all the users, press Apply and then select the users again and finally Save the configuration.
Protect Joomla! users from any changes
Disable access to the Joomla! Installer
By setting this to Yes, the Joomla! installer will no longer be accessible.
You would use this when you have multiple admins and do not want them to have access to the installer to prevent over enthusiastic admins from breaking your site.
e.g. Perhaps you are in situation where you have multiple backend users. Would you like them to be able to install anything on your Joomla! ? It basically ads an extra layer of protection for the installer access.
Disable the creation of new Administrators
By setting this to yes, new users that can login in the /administrator section will be deleted as soon as they are created. Keep in mind that new users (such as the ones added in the Registered group) will not be affected, unless you are trying to add Super Administrator rights to them (in this case, they will be deleted as well).
This feature is a second line of defense. Should a hacker get basic access to your site this feature prevents him from getting administrator rights to your Joomla! Installation. It can also be used to prevent other admins on your site giving administrator rights out to other Joomla! Users.
RSFirewall - Questions and Answers
Multiple question on my new setup
1) do you have a database of attacks, nice to display this on your site
- Not sure what you mean here. Are you referring to a sort of statistics on how many hack attempts prevented RSFirewall! ?
- a database of attacks that you can show clients what is attacking joomla sites, this can be tied in with an attack map
- We do have something similar on our TO DO list, but i can't provide an estimate for this. You are more then welcome to subscribe to our blog and get the latest news (and promotions of course): https://www.rsjoomla.com/blog.html
2) does you software send back information to help fight attaccks, perhaps a live attack map would be a cool thing
- No, there is no "home callback" functionality, nor do we record the attacks that were performed on customer installations.
- an optional feature to send information back to rsjoomla for a live attack map. this would help in preventing future attacks quicker because you could see attacks that have not been discovered yet.
- Thank you for your suggestion.
3) rsjoomla what is a PBL - "protect forms from abuse ips", where is this list?
- The list itself is provided by a third party service: https://www.spamhaus.org/pbl/
- Because there is no information in the documentation can you explain further how this is used? you have given the list but not what it does.
- If the form is submitted by a visitor that is marked in the PBL, he will be blocked by RSFirewall!.
4) when you click ignore file because it is missing, is this file ignore for everything going forward?
- Yes, this is correct. The next time the System Check will run, the file won't be reported anymore.
- When you click ignore, the message says the file will not be flagged unless it is changed again. Is it different for joomla system files and other files
- Hope this will help you get a better understanding on how this works. Scenario:
- standard, Joomla! file altered: test.php
- detected by RSFirewall! System Check
- you manually checked this and file is ok
- clicked ignore
- run the system check again -> the file won't be reported anymore
- test.php was changed again
- running the system check again, will detect the file as begin altered.
5) what constitutes an attemp for an auto blacklist event?
- Any hack attempt is counted for. If the offender in question reaches a certain threshold (configurable within the Configuration area), it will be blacklisted.
6) is the default config the best configuration for rsjoomla or just best fit for initial installs
- From our point of view this is a balanced configuration for most Joomla! installations.
7) active scanner/Uploads/Filter uploads - do all file uploads get filters ie. through jce editor? Is there anyway of setting up exceptions or a finer grain control of this. if this is the case you should consider this a feature request
- Every upload that is being performed, ends up in the $_FILES variable. RSFirewall! checks this particular variable as well. RSFirewall! does incorporate an Exceptions feature (applies to uploads too). More on the Exceptions configuration area here:
https://www.rsjoomla.com/support/documentation/rsfirewall-user-guide/getting-started/exceptions.html - thanks for the info but the instructions are really not good. very short, no examples. doesnt really help.
- The RSFirewall! FAQ section does incorporate some examples on this:
https://www.rsjoomla.com/support/documentation/rsfirewall-user-guide/frequently-asked-questions.html
Are you looking for something in particular ? - better documentation with real life examples.
- Well, the FAQ section that i pointed out contains a couple of exception configuration examples (commonly used).
8) why would i block access to the joomla installer, is this availble without being logged in.
- Of course not, but perhaps you are in situation where you have multiple backend users. Would you like them to be able to install anything on your Joomla! ? It basically ads an extra layer of protection for the installer access.
9) block ip addressess - what is anonymous proxys, other countries, satelite provider,continent,other, how do you categories these. how would i find out what they relate to?
- These are general concepts of course, not something RSFirewall! specific. Perhaps a wiki read would help on the proxy issue:
https://en.wikipedia.org/wiki/Proxy_server#I2P_anonymous_proxy
There are various ways to categorize IP addresses. Localization is one of them - that's why the Country or continent correlation.
Other Continents (if checked): If, for the detected IP address, there is no continent correlation, then this will be blocked. The same applies for the Country section.
The categorization is provided by some public IP databases. More on this here:
https://www.rsjoomla.com/support/documentation/rsfirewall-user-guide/frequently-asked-questions/how-do-i-use-country-blocking-and-where-do-i-get-geoipdat-.html
PS: Thank you for your suggestions. We are constantly adding new articles and improving the documentation for all of our products. If there are questions that are not answered by the product documentation, our customer support service will gladly help.
Regards! - you have mentioned what the 'other' tick box does, but not satelite, anonymous proxy, you must of got these groups from somewhere. If you can point me to the page at GeoIP website where they discuss the different groups. ps this should be added to your documentation.
- The same principle applies, just that "satelite" is used instead of a particular country or continent. I won't get into the details on what a proxy is and how it works, as this is yet again a generic concept, not something RSFirewall! specific. Yet again, the same principle is applied. If the site visitor connects to your website through an anonymous proxy, he will be blocked (given that you have the option enabled). You can get more information on GeoIP on the author website: https://www.maxmind.com
- lol, i know what a proxy is, i just really mean where did yoou get the grouping information so you knew what ip belongs in which group. ie this page at maxmind tell yous what the groups are. if there is not page like this do not worry.
- Not worried at all, i simply pointed out the author of the database. Here you should be able to find additional information on how the GeoIP works.
the database must have the groups inside the database?
ps, all of these question and answers should be added to your documentation as they are the first thigns that popped into my head whilst learnign your software.
Questions – protection configuration ($_GET and $_POST$ PHP/SQL/JS ) protection
https://www.rsjoomla.com/my-support-tickets/view-ticket/138571-protections-configuration.html
Starter Question
Me
by default the following is set
PHP Protections - enable protections for (GET)
SQL Protections - enable protections for (GET)
JS Protections - enable protections for (POST)
why are, (POST),(POST),(GET) respectivly not turned on by default. Am I not fully protect without these or if i turn them on will it break my site?
advide please (PS> RSFirewall documentation should be a little bigger for sucha complicated product, which is great)
Alexandru Plapana
Hello,
Note that there is no predefined set of settings that can be applied for each and every website. Each website has its own requirements and this propagates to security related settings as well. For example you can't restrict the usage of a particular PHP function (that are commonly used by hack related scripts) if one of your installed extensions is using it. On the other hand why wouldn't you restrict if none of your extensions is using it ?
There is no such thing as full protection of an website - security applications won't ever be able to provide 100% protection, but it can help you reduce the chances of your site being hacked. Tighter security settings, can increase the chances of false positives and can affect the overall site functionality and even performance.
You are more then welcome to enable the protections, but you will have to test your site and make sure that it doesn't affect the overall functionality.
Regards!
Me
Hi,
unfortunately you have turned into management as this is a pointless answer but probably sounds great to you.
If you offer settings in a product you have to be able to tell me why they are there, in what circumstances you would use them, this would be an excellent feature for your documentation.
FYI: i know the difference between POST and GET but i am unsure on how to apply these settings of your firewall in a real life situation.
Please can you look into this and perhaps get me some real examples of why i would use them, leave as is etc...
You must understand that 99% of your cusrtomers will never touch these settings and this is why you dont get much feedback about them. some people might not even know the difference between post and get.
An example would be:
"If you have a standard joomla site wiht no 3rd part plugins or extensions turn GET and POST on for PHP/javascript/SQL to ge better protection"
Thanks
Alexandru Plapana
Hello,
If you are using a standard Joomla! installation, then use the standard active scanner settings provided by RSFirewall!.
If you actually hover over the options themselves you will notice additional explanations on this. The reason why $_POST is not enabled for the PHP or SQL sections is that standard Joomla! article, or module editing work with $_POST. Having this enabled would increase the chances of raising false positives, blocking the legitimate actions that are being performed. If you have tight control on the users that are allowed to perform such actions (or if these actions are performed only in the backend for example) you won't be needing to perform checks on the $_POST variable. Keep in mind that $_GET related attacks are more frequent then $_POST ones as well.
Regards!
Me
the explanation you have just given me is great. This should be in the manual somewhere.
I did read the tooltips before i posted, but the tool tips tell you what the option does but not why you would choose it and the consequences.
thanks
Alexandru Plapana
Hello,
I am glad that i could help.
Let me know if you require further assistance.
Regards!
Followup questions
before i start i do appreciate all of the time you spend answering my questions but i have a few follow up question just to plug the hole in your documentation. You can have a copy of my notes when i am done:
I need the answers to these because i am going to be running my own custom modules, code and whatever so i want to be as safe as possible without killing my site
After reading the responses from RSFirewall and the active scanner configuration faq page and the tooltips in the software I need to answer the following
PHP
1) controller= is a joomla method to include files (from tooltip)?
- This is actually part of the MVC architecture (or design pattern if you will). Joomla! relies heavily on the Model View Controller design, but in this instance, it just a parameter example.
- Local File inclusions - This question stems from your example in the tool tip
(This disallows directory traversal techniques (such as controller=../../../etc/passwd) that might allow an attacker to read sensitive files by exploiting poorly coded extensions.)
- So is it the ../../../ within a POST or GET that causes the block? (irrelevant of the rest of the line)
- why is there a button to turn it off, is this because some extensions are badly written and need this off?
- You should not consider "\..\" as being the only trigger for this. There are multiple patterns that are being used.
- I don't think that there are two Joomla! websites exactly the same. There can be situations here legitimate requests are being made, and RSFirewall! blocks them - naturally this will affect your overall website functionality. A quick solution would be required, thus turning it off. Note that the Exceptions feature was introduced at a later time.
2) The reason for being able to turn these on/off is because some people might have badly written extensions that use this command? And they should not use this?
- I presume that you are referring to local and remote file inclusions. A wiki article should help you in understanding the overall concept:
https://en.wikipedia.org/wiki/File_inclusion_vulnerability - Remote inclusion - I understand why a remote file inclusion is dangerous but why is there a button to turn it off? Is this to allow bad extensions to run? what issues does turning this option of solve?
- I think you got this backwords - because of badly coded extensions, you might need the extra security provided by RSFirewall!. Once again, false positives can occur, this is why we introduced a configurable option for it.
3) Can you point me to the documentation on joomla for this (i dont need technical/in-depth but just what it is)
- You can learn more Joomla! here:
https://docs.joomla.org/
https://developer.joomla.org/cms/documentation.html
https://api.joomla.org/
4) POSTs are used to submit forms all the way through joomla so what harm can turning this PHP scan on cause, ie false positives.
- It can essentially block legitimate submissions. For example, one of your forms incorporates a WYSIWYG editor. The editor can automatically add certain HTML elements (iframes, style, script tags) that can trigger an RSFirewall! alert. The elements in question are often used in hack attempts.
- WYSIWYG by their nature block these things getting posted HTML elements (iframes, style, script tags) . So if we ignore WYSIWYG for now and only consider $_POST,
- with this option on, all joomla $_POSTS are scanned for 'any' PHP code. ie base64(), eval()
- certain tags are removed or altered? can you confirm what they are (i think this is for the javascript section)
- When is the POST is blocked, are all posts blocked when any PHP code is found
- (iframes, style, script tags) are not strictly PHP, do you lump all HTML and PHP together or were you incorrectly referencing JS section
- You are assuming that everyone uses latest updates, but it is far from being the truth. Further to this, not every Joomla! installation has such filters in place (configurable). Yes, i mixed these up a little bit here. The PHP protection is designed to prevent a specific type of attack where hackers load their scripts via a local or remote resource. The GET method is the most common for such attacks. Having this enabled does not imply that it can break your site, but it can stop legitimate requests. You won't have problems with this using standard Joomla! functionality ( included extensions).
5) Can it affect the normal operation of a website. can you give examples of how this can break a site
- I think point 4, covers this as well.
- can you give 1 scenario where having $_POST scanned for PHP can break the site, i am trying to understand why by default you have this turned off? but also point 4 references Javascript scanner not PHP, you would never legitimatly post PHP code in a wysiwyg or form except a code module and this would only really be done in the admin.
- Yet again, it won't break anything, but it can stop legitimate requests. For example you are using a third party plugin that allows you to add PHP code just about anywhere. If you have this option turned, it will most likely block the POST if script signatures are detected.
- PHP $_POST - better on and in some small circumstances can cause false positives such as code modules. On a standard Joomla site this is better to have on.
- Yes, this is correct.
SQL
6) POSTs are used to submit forms all the way through joomla so what harm can turning this SQL scan on cause, ie false positives. Can it affect the normal operation of a website. can you give examples of how this can break a site?
- Yet again the same example as point 4. If the submitted value is used in a database query and not properly filtered (or escaped), it can stop normal SQL execution. Once this happens the hacker can execute his own queries.
- you say that SLQ $_POST scanning is not on by default because "If the submitted value is used in a database query and not properly filtered (or escaped), it can stop normal SQL execution. Once this happens the hacker can execute his own queries. " is this not what you scanner is supposed to stop and you are saying turning this on can break your site and let a hacker in.
- Having this enabled for POST would generate too much false positives.
- if this is to dangerous to have on, should it not be removed as an option, i thought all legitimate Mysql command would never be submitted by a post but stay within joomla files?
- If SQL $_POST causes so much issues why is it left as a feature. Because you segment between PHP/JS/SQL i just need to figure what attacks this feature would prevents vs the issues it causes.
- We shouldn't there be an extra protection available even though it can cause a lot of false positives? Perhaps there are some use case scenarios that can make use of this.
JS
7) Filter Javascript - By setting this to Yes, the Javascript will be filtered instead of the connection being dropped. In what circumstances would this be employed. Can you give an example
- We will consider yet again the example pointed at item 4. If a script signature is detected, RSFirewall! will eliminate (or scramble) the actual script from the POST without blocking the request.
- just to confirm the 'Filter Javascript' option will allow RSFirewall to remove/scramble
- ALL javascripts and <iframe>, <script>
- from $_POST and $_GET (this depends on 'Enable Protections for')
- without dropping the connection
- if this option is not on, the whole post is dropped
- what determines whether the script is removed or escaped? (this is useful so i know what will stay)
- should javascript scanner section be renamed to 'javascript and html' because <iframe> is html and not javascript, and this scanner looks for more than javascripts
- Yes, this is correct. From a hacking perspective this won't really make any difference - if the connection is being dropped, then the POST information won't be saved at all. If the filtering option is enabled the script will be scrambled (not removed) and can't be executed. Turnig "ifram" into "i-frame" isn't "escaping": http://php.net/manual/en/function.mysql-escape-string.php
- can you confirm the only translations are <iframe> --> <i-frame>, <s-cript> --> <s-cript> and <style> --> <s-tyle>
- These are just some common examples. If you wish to get a better understanding on how this works have a look here:
administrator/components/com_rsfirewall/helpers/xss.php
8) why is JS GET not turned on by default, does JS not use GET a lot of the time (ajax?)
- One of the reasons would be various tracking scripts that often use URL parameters of course. This would trigger (in our opinion) more false positives.
- thansk for the example, these tracking script would be incoming links from other websites and would these links be from 3rd party sources ie adwords or would this be something a client would need to set up 3rd party software on their website. I am trying to assertain on a basic joomla site if there would be times where this feature can cuase false positives to the detriment of the site with any extra software.
i.e a basic 4 page website with no 3rd party extensions would benefit from JS $_GET being turned on
ie. why have the option to turn this on if it does more harm than good? - If you read more on XSS attacks you will be able to understand how these manifest. For example you can inject in an article content a Javascript popup with "buy viagra".
All security related features cause false positives. - filling in the blanks here - turning on the $_GET for JS is an absolute must as it protects from XSS, but it can interfere with incoming tracking links or perhaps badly written internal 3rd party plugins but other than that there is no issue with it.
- Yes, this is correct.
9) can you give examples of how this can break a site
- XSS attacks: https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
- XSS attacks - these are attacks and are not false positives or how JS $_GET would potential break a site? can you supply a scenario where turnsing $_GET would break my site or stop it working?
- Given that most (i won't say all) of the standard Joomla! functionality relies on POST not GET, then no, i can't provide such an example.
10) Does this feature control the warping of <script> and <iframe> to <s-cript> and <i-frame>
- Yes, this is correct. This is actually addressed here: https://www.rsjoomla.com/support/documentation/rsfirewall-user-guide/frequently-asked-questions/scrambled-tags-iframe-becomes-i-frame.html
General
11) In your tooltips you say that URL data (GET) enables filtering for variables that are located in the URL, but does your software not scan more that the URL because I have seen in the blocked attempts in my RSFirewall logs code in IP addresses and the referrer.
- Not sure i understand your question, but when an alert is triggered, some server related variables are being stored (IP and referrer).
- a request includes more that the actual URL, such as the IP address. In my RSFirewall i noticed hackers adding code in to the 'referer' or the 'ip' address showing they have created custom requests. Does RSFirewall scan these extra fields/data rather that just the URL or post variables?
i.e. that is not a proper IP i will now block you. - The referrer is not actually scanned, but RSFirewall! incorporates an option to block a request if it has a particular referrer. As for the IP address, you can't really insert scripts in a server side variable. I think you might have some idea about a particular bug available in a different security extension that was grabbing a proxy address, instead of the actual IP address. The short version of the answer would be "no".
PS: You can't communicate over networks without an IP address. - please see the attached image. it shows code in the IP block. I have also had this code in the referrer and i have seen it in a dodgy user agent as well. There are different types of dodgy code i have seen here but i am just using this one as an example to help answer the question. This is what i mean by no ip. Does RSFirewall check the environmental variables and then block them if dodgy.
- The reported IP address is wrong - this is a bug caused by Admin Tools that incorrectly replaces the IP address with that string. Please update Admin Tools (as I understand this has been fixed in their latest versions) or contact the extension's developers for a fix.
Uploads
- This scanner only works on files uploaded through the 2 entry points index.php and /administrator/index.php i.e. Joomla not the server
Questions not asked
- Add the PBLs that are used into the tooltip.
- What happens when you are on the block list, do you get a 404
- Does the DoS protection on work on POST “Protect forms from abusive IPs”
My Electronics Notes
This is for information I have not really done anything with or is to general to go elsewhere.
- Dave Johnson's BGA Rework Machine
- RE-7500
- Jovi Systems