Joomla in IIS 7 : SEO Friendly URLs not working

Scenario

A Joomla website hosted in Linux server is migrated to Windows. Several compatibility issues will be reported. The rules in .htaccess file will not work in Windows Servers which will cause malfunctioning of the website. Here are the steps on how to deal with these issues.

Solution

For this to work in IIS, a web.config file should be created and the corresponding rules in .htaccess should be imported to the same file. Here is a sample web.config file. Copy the entire content.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
 <system.webServer>
 <rewrite>
 <rules>
 <rule name="Security Rule" stopProcessing="true">
 <match url="^(.*)$" ignoreCase="false" />
 <conditions logicalGrouping="MatchAny">
 <add input="{QUERY_STRING}" pattern="mosConfig_[a-zA-Z_]{1,21}(=|\%3D)" ignoreCase="false" />
 <add input="{QUERY_STRING}" pattern="base64_encode.*\(.*\)" ignoreCase="false" />
 <add input="{QUERY_STRING}" pattern="(\&lt;|%3C).*script.*(\>|%3E)" />
 <add input="{QUERY_STRING}" pattern="GLOBALS(=|\[|\%[0-9A-Z]{0,2})" ignoreCase="false" />
 <add input="{QUERY_STRING}" pattern="_REQUEST(=|\[|\%[0-9A-Z]{0,2})" ignoreCase="false" />
 </conditions>
 <action type="CustomResponse" url="index.php" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
 </rule>
 <rule name="SEO Rule">
 <match url="(.*)" ignoreCase="false" />
 <conditions logicalGrouping="MatchAll">
 <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" pattern="" ignoreCase="false" />
 <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" pattern="" ignoreCase="false" />
 <add input="{URL}" negate="true" pattern="^/index.php" ignoreCase="false" />
 <add input="{URL}" pattern="(/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$" />
 </conditions>
 <action type="Rewrite" url="index.php" />
 </rule>
 </rules>
 </rewrite>
 </system.webServer>
</configuration>

So, the file web.config is ready. Now the rules in .htaccess has to be converted in accordance with IIS. In IIS6, you can make use of the ISAPI_REWRITE module. Go to http://www.isapirewrite.com/ for downloading it.

If you are having IIS7, here are the steps involved in converting those rules.

The x86 version of URL Rewrite module can be downloaded here : http://go.microsoft.com/?linkid=9722533

The x64 version of URL Rewrite module can be downloaded here : http://go.microsoft.com/?linkid=9722532

Install the module, restart the IIS manager. Choose the website in which you have to convert the rules (under Sites category). You will see the ‘URL Rewrite’ module in IIS.

Open it. Since the web.config file is already created with some predefined rules, you will see it as Inbound rules (by the Names – Security Rule and SEO Rule).

You can convert the rules in .htaccess file by accessing the ‘Import Rules’ under Inbound Rules category in the Actions pane.

Choose the .htaccess file and click Import. You will see the rules in ‘Rewrite Rules’ section and the converted rules in ‘Converted Rules’ option. Click Apply on the  Actions pane on the right hand side to save these rules to the web.config file (If a web.config file was not created as mentioned earlier, that file will be newly created). Make sure there are no conflicts in the conversion. Watch the Summary on the bottom end. There was a conflict when we did it, its shown here. In such cases, remove any unsupported rules and then click Apply.

Converting PHP to FastCGI

We have do it from Plesk control panel. If you don’t have the administrator access, you may need to contact your Administrator. Others (Gods !) read on

Select the Domain, go to Web Hosting Settings.

Scroll down to Services. Choose PHP support to run as FastCGI application.

Final Steps

Go to Joomla Administrator interface. Access Global Configuration from the main menu. Under SEO Settings, make sure the following are set to Yes

Search Engine Friendly URLs : Yes

Use Apache mod_rewrite : Yes

Done, From now your Joomla website shoule work as smooth as it were in the Linux server. Sit back and Enjoy !

Plesk Windows Horde This request cannot be completed because the link you followed or the form you submitted was only valid for minutes. Please try again now.

Error when trying to logout would be as below and won’t let you logout as well.

“This request cannot be completed because the link you followed or the form you submitted was only valid for minutes. Please try again now.”

Solution

Edit C:\inetpub\vhosts\webmail\horde\lib\horde.php (Drive Letter will depend on where you installed Webmail/Plesk and configured IIS to load virtual hosts from)

And search for section ” SESSION['horde_form_secrets' " in the Horde.php  and instead of

if ($_SESSION['horde_form_secrets'][$token] +  $GLOBALS['conf']['urls']['token_lifetime'] * 60 < time()) {
return PEAR::raiseError(sprintf(_(“This request cannot be completed because the link you followed or the form you submitted was only valid for %s minutes”),  $GLOBALS['conf']['urls']['token_lifetime']));
}

it should be

if (($_SESSION['horde_form_secrets'][$token] + $GLOBALS['conf']['urls']['token_lifetime']) * 60 < time()) {
return PEAR::raiseError(sprintf(_(“This request cannot be completed because the link you followed or the form you submitted was only valid for %s minutes”), $GLOBALS['conf']['urls']['token_lifetime']));
}

Note the extra braces in red + bold

MSSQL – Two common issues while restoring a backup and it’s solutions

There are two most common issues while restoring the database (usually ending in .bak format).

First error
System.Data.SqlClient.SqlError: The backup set holds a backup of a database other than the existing ‘user_database‘ database. (Microsoft.SqlServer.Express.Smo)

Solution for First error

On the Restore page that loads up, make sure that the Destination for restore has the database you want to restore and in the Source for Restore, choose From device: And browse by clicking [..] and Add the file location there, the location where your database backup resides. You may need to browse the backup. If you get permission denied, copy the bak in the MSSQL folder.

Attaching the database backup file

Restore it. Make sure that the Restore Checkbox is selected. And Click OK. And get ready for the error

Here comes the first errorSystem.Data.SqlClient.SqlError: The backup set holds a backup of a database other than the existing ‘user_database’ database. (Microsoft.SqlServer.Express.Smo)
And the solution is to go to Options -> Overwrite Existing Database . But if you aren’t so lucky, you will be welcomed by another error as seen below. where it’s solution is to edit the path from D:\ to C:\ or whichever Drive, where your MSSQL is installed.

System.Data.SqlClient.SqlError: Directory lookup for the file “D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\user_database.mdf” failed with the operating system error 3(The system cannot find the path specified.). (Microsoft.SqlServer.Express.Smo)

Both THE Solutions are in a single screen shot. The final screenshot

Bad Request (Invalid Hostname) when accessing via IP

Customer wanted to have a dedicated IP, but once I change the IP from the plesk control panel, I couldn’t get the website when accessed using IP. Instead, it was giving me the plesk control panel’s default page. Reason ? Default Website was having the IP as “All Unassigned”. Set that to the main IP address. But after that I was getting a new error.

What I could get was “Bad Request (Invalid Hostname)” in bold letters. Here is what I did to fix the same.

Start -> Run -> inetmgr -> Expand the (+) -> Websites -> Right click on the domain name -> Take Properties -> Website -> IP Address (make sure that it has the dedicated IP assigned there) and then click “Advanced”

Add/Edit Web Site Identification

IP Address : Choose the dedicated IP from drop down list
TCP/IP Port : 80
Host Header Value : Leave it blank (Important)

Leaving the Host Header Value should fix the issue and fetch the website when accessing it using the IP.

Initial Hardening or Securing and performance tweaking of a Windows Server 2003 – Part I

I am hereby mentioning a brief howto on securing a default Windows Server 2003. 90% of the sages at SupportSages are Unix fanatics and I am a rebel belonging to the rest of 10% But often we get requests on securing Windows Servers and hence I am hereby briefing the basic steps we should take to secure a windows server. As the lead sage says, security is a process which starts even before the installation of OS or designing a network and can’t be done in a day or two, just the initial hardening can be. So the steps mentioned here is just the initial hardening. I would love to add more based on suggestions of you. I will mention the fundamentals of troubleshooting and fixing the permission issues of windows in another post. This post is for a standalone server and not a member of an AD (Active Directory).

For all the TUI/CLI guys out there. did you MS Windows Server 2008 can run without a GUI. You just have to install Server Core. You now can command Windows to do what you want

Subscribe to MS’s Security bulletin list at http://technet.microsoft.com/hi-in/security/dd252948(en-us).aspx lists.

Disable all services you do not need

Distributed File System
Distributed Link Tracking Client
Distributed Link Tracking Server
Fax Service
Indexing Service
Netmeeting Remote Desktop Sharing
Print Spooler
Telnet

Sevices you may or may not disable, if not already disabled. Usually a server installation turns this off. Did you know out of 86 default installed services 43 of them are disabled by default.

ClipBook
Computer Browser (On a server do you want this ?)
Help and Support (Again, don’t you have other sages around you for this?)
IMAPI CD-Burning COM Service (Dont need this)
Messenger
Remote Registry
TCP/IP NetBIOS Helper

Harden the TCP/IP Stack

Just like you do in Linux by editing sysctl.conf, you can configure various TCP/IP parameters in the Windows registry in order to protect against network-level denial of service attacks including SYN flood attacks, ICMP attacks and SNMP attacks. You can configure registry keys to:

* Enable SYN flood protection when an attack is detected.
* Set threshold values that are used to determine what constitutes an attack.

Follow the HowTo at http://msdn.microsoft.com/en-us/library/aa302363.aspx

Renaming the Administrator and Guest Account to something else.

Follow the Howto @ http://support.microsoft.com/kb/816109

In that Howto, the AD Users and Computers Snap in is taken by selecting “Start”, “Programs”, “Administrative Tools”, and “Active Directory Users and Computers” or by simply typing dsa.msc in the Start -> Run.

Enabling HTTP Compression

This is not security related, but may improve performance. Took from a website and hence including here also. But remember that Horde error happening for Middle East which is described earlier in one of the posts can creep in.

Check out the URL http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/d52ff289-94d3-4085-bc4e-24eb4f312e0e.mspx?mfr=true

DIsable parent paths (if enabled)

If we are doing monthly management of the server, even if the customer asks to enable parent paths, don’t do it on the server of a hosting firm. Lots of risks are there. Good thing is that in IIS 6.0 it is disabled by default. Ask the developers to use absolute path. If it is enabled, disable it. But on a live production server, if it is enable, before disabling the parent path communicate with the contact person for the firm as it may break websites using it.

• Start the Internet Services Manager (Start – Programs – Administrative Tools – Internet Services Manager
• Right click on the web site and select properties
• Select the ‘Home Directory’ tab
• Click the ‘Configuration’ button under the Application Settings
• Select the ‘App Options’ tab
• Uncheck the ‘Enable parent paths’ box and click Apply

Article  link here says how to enable it. http://support.microsoft.com/kb/q226474/ . But its for reference only.

Use Dedicated Application pools

Again performance related Always try to isolate websites using dedicated applicaiton pools. You can define it under IIS or in many control panels, it is just a click of the button or an option to be checked. Error in one dedicated pool will not affect other pool and hence othe websites. Also this will be helpful when troubleshooting / debugging issues as well.

Changing the RDC or Remote desktop port

Take registry using regedit and browse the hive keys to

HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control > TerminalServer > WinStations > RDP-Tcp

and then change the Registry subkey PortNumber to a non-default, above 1024 one.

On Server 2008, in addition to changing the registry key above, you also need to create a new Inbound TCP rule in your windows firewall to allow connections on your new port.  You can then disable the existing remote desktop inbound rule (which is hard coded to port 3389) and / or add a new one to allow your port. Below command should work also.

netsh advfirewall firewall add rule name=”New Remote desktop” dir=in action=allow protocol=TCP localport=’NEW_PORT_NO’

Refer http://support.microsoft.com/kb/947709 for more help on writing firewall rules.

If working on a hacked or suspected hack system, keep the Security Identifier list available at http://support.microsoft.com/kb/243330 handy.

Lots of tools useful for forensics and daily auditing purposes will be coming on next post or even this post itself will get re-published. Till then read about IPTables equivalent in windows (oh..No..Kinda equivalent) http://support.microsoft.com/kb/813878