Gallery 3 runs on Windows 2008 R2 x64 and IIS 7.5
|
Aren Cambre
Joined: 2007-09-27
Posts: 57 |
Posted: Tue, 2009-08-18 17:22
|
|
I got Gallery 3 running on IIS 7.5 on Windows 2008 x64 R2. See http://arencambre.com/blog/2009/08/18/gallery-3-windows-2008-r2-and-iis-7/. It was much easier than I recall with PHP 5.2 or IIS 6, and Windows 7's URL Rewrite module is a nice addition. Now if some API could be released... |
|
| Login or register to post comments |
Posts: 802
What about the .htaccess stuff that prevents people from getting into the var directory. If you remove the full size permission g3 creates more .htaccess files to protect your images.
Posts: 10643
Which is exactly why only Apache is supported for a web server.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here
Posts: 57
That seems backwards. .htaccess is web server configuration and generally shouldn't be used for "run of the mill" app configuration. Usually it's set once and only changed for major application changes. Everything else should be in application logic.
Posts: 802
Backwards or not that's the way it is. Take a look at the G3 FAQ.
Posts: 10643
That's the way it is in G2 and it's a decent performance hit. Using .htaccess is the way it was decided upon in G3. That's why ONLY Apache, Linux and MySQL are supported. We are taking advantage of specific technologies on those platforms. If it runs under anything else, good, but it's not supported and you'll probably hear (at least from me) "Windows isn't supported" and even more so "IIS isn't supported". Windows issue that I think can be worked around, I might spend some time on helping. IIS issues, how ever minor I think it may be, I won't even spend 1/2 a second considering helping, I just won't
I don't like IIS and, now that it's been decided that it's not supported, I'm not going to waste my time with it. Some other volunteer might, but I'm not.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here
Posts: 57
Ok, I see this now:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule (.*) /gallery3/index.php/file_proxy/$1 [L]
</IfModule>
<IfModule !mod_rewrite.c>
Order Deny,Allow
Deny from All
</IfModule>
As long as all files are proxied and no hint is given to the user of the file's path or name on the file system (which I think would be a best practice in any web-proxied filesystem), you may have a reasonable security scheme with IIS since directory browsing is denied by default. Someone would have to guess the file's full web path to get to it.
However, ideal security would have all files in a part of the filesystem that is not browseable. And that could be done by adding a web.config instead of (in addition to?) the .htaccess. Here's that directory's web.config for my server:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Imported Rule 1-1" stopProcessing="true">
<match url="(.*)" ignoreCase="false" />
<action type="Rewrite" url="/gallery3/index.php/file_proxy/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Posts: 802
No one in this thread is asking you to help. Apache, Linux, and MySQL are supported not really because of specific technologies, but because the dev team just didn't want to put in provisions for them. I was on the devel list when those decisions were made. No one said we want to use such and such technology. They just said we want to make it easier for us (understandable) and not support anything but the LAMP stack.
I just wanted to let Aren and anyone else seeing this thread know that there might be an image security problem using his IIS approach.
Posts: 10643
Yes doing that would force all requests for images through the proxy. I've actually played with that idea to use Lighttpd instead of Apache for use on my server and still be able to use G3's permission system.
The path is www.example.com/gallery3/var/albums
You don't need to know the file system path. The "image firewall" does not exist in G3 like it does in G2.
But if it's got the rewrite rule in .htaccess, even if you try to access the image directly you'll be redirected through the file_proxy and won't get the image if you don't have access anyway.
One down side to redirecting all traffic through the proxy as it's currently designed (as far as I can tell) is that you wouldn't be able to hotlink to images on forums and such like you can with G2. But I guess you could hand edit those .htaccess files a bit more. I don't know if G3 will just wipe any changes you make to .htaccess if you change permissions through G3's UI. Oh, just tested, yes, G3 will wipe out any changes you manually make to the .htaccess file.
I don't think that would work with Apache, but I think you'd be editing httpd.conf. Is what you posted the equivalent of httpd.conf for Apache? But if that does work with IIS, please add it to the documentation, you'll need to create a new page:
http://codex.gallery2.org/Category:Gallery_3
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here
Posts: 57
That's not the full path. You still have to know the album name and file name--although now that I look more, maybe those are easier to guess than I realized.
But if a fully-proxied filesystem was adopted, all media assets could be dumped in one directory and have GUIDs for their names.
No, as long as the proxy has a unique URL for each image, there should be no problem.
Man, I just don't have a good feeling about this. I am not comfortable with apps that can configure my web server like that. I am OK with a .htaccess being included in the app's filesystem but far less comfortable with apps that freely create or modify .htaccess files.
Correct, won't work with Apache. But web.config is the IIS analogue to .htaccess. A kludgy solution could be to write both files to the filesystem, but that may make LAMP purists soil their panties.
Posts: 246
Does this mean its currently impossible for Gallery 3 to restrict access to images in var/albums when running on an IIS server?
Posts: 10643
Not just IIS, but any server that is not Apache or doesn't use URL Rewriting and .htaccess exactly like Apache does, which I believe is only Apache.
You can use the modification that Aren posted above. For Lighttpd you should be able to use a similar concept in lighttpd.conf or for nginx where ever you configure rewriting. I think the same Could be done for any other server that supports rewriting of some sort. Since that's a pretty simple rule I'd think you'd be able to configure any server that supports rewriting to do that. It's just most likely going to be that you have to force ALL thumbs, resized and full sizes through the file_proxy instead of being selective if you've only set permissions on a few albums.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here
Posts: 246
So lets say that I set up two test albums, lets call them Album 1 and Album 2. Lets say that I then go into the permissions for Album 2 and set it so that only registered users can view a picture's full size. If I then upload a picture into each album, and manually point the web browser to the picture's location in var/albums , Album 1 works like you'd expect (the picture is viewable):
http://eric2001.brinkster.net/gallery3/var/albums/Album_1/scantron.png
And the Album 2 picture doesn't load (Gallery error message):
http://eric2001.brinkster.net/gallery3/var/albums/Album_2/scantron.png
As far as I can tell I'm on an IIS server -- phpinfo.php
It seems to me that Gallery is restricting access to the second image, would that not be considered normal behavior then?
Posts: 57
Since phpinfo() reveals web server type, Gallery could determine if a server is IIS and use the web.config file specified above instead of .htaccess.
But that would require a more mature non-LAMP support policy than "nannny nanny boo boo, stick your head in doo doo."
The "nothing but LAMP" stance is especially baffling given Microsoft's overtures to Gallery2, making it one of the top 3 PHP apps they promote on their PHP on IIS7 main page.
Posts: 10643
rWatcher, perhaps IIS is reading the .htaccess file, I have no idea. I've not used IIS very much to really know it.
It has nothing to do with that. It has to do with there isn't a single person on the Gallery core team that knows IIS (or MS SQL, etc) to support them. If you want to dedicate hours every week for the next several years, 5+?, while G3 exists, to being the sole programmer and support person for windows support then there's something that can be talked about. But so far it's just been a few people making some noise and nobody really stepping up to the plate.
We've already been to this show with G2. It was a tremendous amount of work to support multiple platforms. G2 includes the kitchen sink, G3 has more focus
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here
Posts: 57
I appreciate G3's focus very much. But the IIS support landscape has changed drastically since G2: IIS 7 is out, Microsoft is making a large push to support PHP, and PHP 5.3 has significant Windows support improvements.
So far we found one easy-to-resolve IIS issue. Everything else just works.
Posts: 10643
Well that's the beauty of git. You can fork the main code, make changes and it's pretty easy to implement new changes from the main code into your fork.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here
Posts: 57
Unfortunately, that's still the non-LAMP support policy of "nannny nanny boo boo, stick your head in doo doo."
Posts: 246
If anyone's interested, I've figured out why my IIS web host is able to use .htaccess files. It seems they have a module called "ISAPI_Rewrite" installed on the servers, which "is compatible with Apache mod_rewrite syntax, which makes it possible to move configurations from Apache to IIS and vice versa just by copying .htaccess files". More information on it can be found here. It's probably worth noting that this module is definitely not free, but it does seem to work as a solution to the IIS/Gallery/.htaccess issue.
Posts: 57
We use it at work. It's a good module, but like you say it's not free at all, plus you may have trouble getting shared hosts to support it if they don't do so already.
Posts: 1
Just in case this helps anyone...
I deployed Gallery3 on my webhosts IIS server (brinkster - pro account), which also use the HeliconTech mod_rewrite.
I came across an issue where when trying to edit permissions on an album I got the following message
"Oh no! Your server needs a configuration change in order for you to hide photos!"
A bit of digging later, and it turns out that gallery tries to validate your htaccess settings by creating the following directory
gallery3/var/temp/security_test
It then creates a .htaccess file with a simple rewrite and a file called "success" to redirect to.
It hits a url, and checks that the "success" file is served up properly.
However, my webhost does not support serving up files without an extension, so this fails - resulting in the above error message.
The following change makes it work.
in gallery3/modules/gallery/helpers/access.php
change line 642 from
$success_url = url::file("var/tmp/security_test/success");to
$success_url = url::file("var/tmp/security_test/success.html");and line 651 from
if ($fp = @fopen(VARPATH . "tmp/security_test/success", "w+")) {to
if ($fp = @fopen(VARPATH . "tmp/security_test/success.html", "w+")) {Posts: 246
I get that error too (also using a IIS/brinkster pro account). As far as I can tell, Gallery still hides albums and blocks access to full size photos despite this error message, so I've just been ignoring it. But it's nice to be able to make the error go away, so thanks for figuring out the issue
I've created a ticket for you here:
http://sourceforge.net/apps/trac/gallery/ticket/830
Maybe someone will incorporate this back into Gallery.
Posts: 2
Hi.. I am new to web site and have just installed the win2k8r2 version and followed the procedure (http://arencambre.com/blog/2009/08/18/gallery-3-windows-2008-r2-and-iis-7/comment-page-1/#comment-42789) but when i try to follow item; 6.Visit http://localhost/phpmyadmin, sign in using your MySql’s root account it fails to load the login page giving the following error:
Error Summary
HTTP Error 403.14 – Forbidden
The Web server is configured to not list the contents of this directory. Detailed Error Information
Module DirectoryListingModule
Notification ExecuteRequestHandler
Handler StaticFile
Error Code 0×00000000
Requested URL http://localhost:80/phpmyadmin/
Physical Path C:\inetpub\wwwroot\phpmyadmin\
Logon Method Anonymous
Logon User Anonymous
I did post this and another error on that website but was directed here
an you help please