Welcome to Geeklog, Anonymous Tuesday, December 10 2024 @ 05:38 am EST
Geeklog Forums
GL 1.41 - 1.50 admin from internal trusted network
My GL server site resides on a DMZ network behind a couple of NAT'd firewalls. The user network sits off the last firewall boundary and is also NAT'd. Connecting the the GL 1.41 server from the trusted network was enabled by deleting the URL from config.php (Thank you Dirk for this resolution). The network GL server uses a Dynamic IP which is registered to the internet using a free Dynamic IP service.
I had a couple of challenges when upgrading to 1.50 so I ended up doing a fresh install. Since I did the installation from inside the trusted network the configuration used the servers internal private IP address which made the server unreachable from the outside. I then reinstalled it from an outside platform and got the correct URL configurations but was met again being unable to connect from the inside trusted network. Going to the admin configuration option I removed the URL from the configurations line and was able to access the GL server from both the inside trusted network and from outside. I was able to upload files as a user but could not do any admin functions from the internal network (most likely since there is now a admin configuration with the URL in the configuration line. This was evident when trying to use the admin feature to make GL backups (exporting the db using phpmyadmin still worked)
My question at this time is: If I remove both the URL lines in the configuration settings (URL and URL/admin) would I be breaking something or creating a vulnerability? I did figure out how to use phpmyadmin and hand edit the gl_config_values and re-instate the URL with character count. Once I reinstated the correct URL the internal db backup feature worked from the outside connection.
Aside from not being able to install the advt plugin with 1.50, the system seems good to go. I did want to make the GL server available to the internal trusted network as-well-as access from the internet. Just did not want to create unwanted vulnerabilities or problems by removing the URL configurations
Thank you in advance, JohnF
I had a couple of challenges when upgrading to 1.50 so I ended up doing a fresh install. Since I did the installation from inside the trusted network the configuration used the servers internal private IP address which made the server unreachable from the outside. I then reinstalled it from an outside platform and got the correct URL configurations but was met again being unable to connect from the inside trusted network. Going to the admin configuration option I removed the URL from the configurations line and was able to access the GL server from both the inside trusted network and from outside. I was able to upload files as a user but could not do any admin functions from the internal network (most likely since there is now a admin configuration with the URL in the configuration line. This was evident when trying to use the admin feature to make GL backups (exporting the db using phpmyadmin still worked)
My question at this time is: If I remove both the URL lines in the configuration settings (URL and URL/admin) would I be breaking something or creating a vulnerability? I did figure out how to use phpmyadmin and hand edit the gl_config_values and re-instate the URL with character count. Once I reinstated the correct URL the internal db backup feature worked from the outside connection.
Aside from not being able to install the advt plugin with 1.50, the system seems good to go. I did want to make the GL server available to the internal trusted network as-well-as access from the internet. Just did not want to create unwanted vulnerabilities or problems by removing the URL configurations
Thank you in advance, JohnF
10
11
Quote
Status: offline
mevans
Forum User
Full Member
Registered: 02/08/04
Posts: 393
Location:Texas
John,
You can't remove the admin URL completely or you will break access to the admin functions. Instead, change it from
http://www.yoursite.com/admin
to
/admin
That should get you access from both the internal and external networks.
Thanks!
Mark
You can't remove the admin URL completely or you will break access to the admin functions. Instead, change it from
http://www.yoursite.com/admin
to
/admin
That should get you access from both the internal and external networks.
Thanks!
Mark
11
14
Quote
Status: offline
mst3kroqs
Forum User
Regular Poster
Registered: 10/18/05
Posts: 78
Location:Cary, NC USA
Quote by: mevans
John,
You can't remove the admin URL completely or you will break access to the admin functions. Instead, change it from
http://www.yoursite.com/admin
to
/admin
That should get you access from both the internal and external networks.
Thanks!
Mark
Another trick is that you could try overriding the local DNS resolution of the public host name with a HOSTS file entry.
Let's say you have GL installed on an internal system:
www.internal.net (192.168.1.10) ..
and you NAT this to an external/public dyname address with an assigned domain name of www.external.com.
Assuming you have installed GL with a 'www.external.com' identity, eg. this is what it's $_CONF]'site_url'] is in the configuration, then all should work OK for external users, and regardess of what the actual external address is (this changes of course in dynamic environments) - for internal users, you can add the following line to the workstation HOSTS file:
192.168.1.10 www.external.com
In Windows 2000 and beyond, this can be found in:
C:\Windows\System32\drivers\etc
Now, everything should work without having to truncate to relative paths.
-m
11
12
Quote
Status: offline
AA6QN
Forum User
Junior
Registered: 12/30/06
Posts: 16
Hmm, Mark's input does work with the exception of GL db backups (which can be done from phpmyadmin).
I do have the internal IP www.external.net in the hosts file. Looking at the nsswitch.conf, I do have "files dns". The internal work stations are pointing for their dns lookups but I think its the pfSense firewall which is outboard of the server. I will do some more testing.
Thank you for the tips!
JohnF
I do have the internal IP www.external.net in the hosts file. Looking at the nsswitch.conf, I do have "files dns". The internal work stations are pointing for their dns lookups but I think its the pfSense firewall which is outboard of the server. I will do some more testing.
Thank you for the tips!
JohnF
11
14
Quote
All times are EST. The time is now 05:38 am.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content