[GLLUG] Securing Joomla

Daniel Hedlund daniel at digitree.org
Thu Oct 5 17:55:36 EDT 2006 

Charles,

Charles Ulrich wrote:
> I think part of what Caleb was originally getting at was that we don't 
> currently have an HTTPS option for logging into the Joomla administrative 
> interface. This is because gllug.org lives on a server that hosts multiple 
> sites as VirtualHosts, all with the same IP address. In order to do SSL, we'd 
> have to assign gllug.org it's very own routeable IP address which we've not 
> opted to do at this time.

Does the server you're currently running Joomla (and gllug.org) on 
already have another domain utilizing that IP address's HTTPS 
capabilities?  Contrary to what the Apache documentation might say, you 
can do a half-working version of name-based virtual hosting over HTTPS; 
everything just has to share the same certificate.  If you don't mind 
sharing the same SSL certificate between domains, and possibly getting a 
warning when connecting to domains other than the one on the 
certificate, I wouldn't see it as a big problem to share the certificate 
on the box...unless the other site is for a commercial company that has 
paid for their own official certificate.  I've done this before for 
personal use.  You can find an example of configuration changes required 
here:
http://www.onlamp.com/pub/a/apache/2005/02/17/apacheckbk.html

Have you considered running a second instance of Apache's SSL server on 
a different port?  That would get around any problems with sharing a 
certificate, ie. https://joomla.gllug.org:19876?  Also, an extension that


> For now, those with an administrative (or otherwise) account on gllug.org will 
> have to log in from a semi-trusted internet connection.

Well, within the trusted network of the gllug server if you're paranoid. 
  Another suggestion,

If there are very few people connecting to the Joomla server, and all of 
them could be trusted enough with a SSH username and password, you could 
consider [Open]SSH's built-in SSL tunneling/port forwarding, ie:
ssh -L 19876 joomla.gllug.org:80
firefox http://localhost:19876/

If running from Windows, PuTTY supports setting up port forwarding.  You 
could restrict the SSH account to not provide a shell to the user 
accounts and then have the [Open]SSH client use the -N argument to not 
start a running shell, but rather just do port forwarding alone. 
Instead of individual user accounts on the box, you could create a 
public-private keypair with ssh-keygen and have everyone share a single 
account dedicated for port forwarding to Joomla.  You could do this by 
giving each person their own private key or just give everyone you trust 
the same keypair; the latter being less secure if compromised since you 
would have to re-issue everyone the new private key each time instead of 
just an individual.

Hope these suggestions help.

Cheers,

Daniel Hedlund
daniel at digitree.org

More information about the linux-user mailing list