xF admin.php conflicts with existing redirect on server

[dvox]

I just did a successful install of xF and when I navigate to the "Admin Control Panel" I run into a conflict as there is an existing server-wide Apache redirect (rewrite rule) for "domain.com/admin/" over to "domain.com:2092/" which is the domain's cPanel control panel.

I copied the admin.php to a new file name thus avoiding the string "admin" and that works to get me to the Admin Control Panel Login screen but upon a successful log in I get a blank screen.

The HTML source code of that blank screen is making reference to "admin.php?login/csrf-token-refresh" which is why this is not going to be a good work-around.

Is there another solution short of having the entire server lose the Apache rewrite rule redirect?

 

[Dan]

What happens when you browse to domain.com/admin.php as opposed to domain.com/admin/?

 

[Dan]

Also, perhaps moving your xf install to a subdirectory may help, domain.com -> domain.com/forum/

Or it is possible everything I am telling you is rubbish. Just thinking out loud.

 

[Paul B]

Well the quickest and easiest solution would be to lose the rewrite.
Is there a specific reason why it's there in the first place?

The next option would be to move the installation to a sub directory, as goblues has suggested.
Naturally that will affect URLs as there will be an additional /<directory-name> in the string.

 

[dvox]

I'm glad you're trying. I have been going to the /admin.php rather than /admin/ but the server redirects it to the cPanel admin port. Even if I put it under domain/forum/ I would still need to access /admin.php which gets redirected.

It seems like the xF scripts are expecting things to be named a certain way.

 

[dvox]

The admin/ redirect was for backwards compaibility with the name convention used by the previous control panel before cPanel

I think you're right about losing the rewrite redirect and replacing with an actual PHP script in each user's directory that handles the redirect may be a better solution.

 

[James]

Is there another solution short of having the entire server lose the Apache rewrite rule redirect?

Ok. This requires getting into the code. This is the relevant code:

library/XenForo/Link.php

public static function buildAdminLink($type, $data = null, array $extraParams = array())
{
$type = self::_checkForFullLink($type, $fullLink, $fullLinkPrefix);

$link = self::_buildLink('admin', $type, $data, $extraParams);
$queryString = self::buildQueryString($extraParams);

if ($queryString !== '' && $link !== '')
{
$append = $link . '&' . $queryString;
}
else
{
// 1 or neither of these has content
$append = $link . $queryString;
}

if (($hashPos = strpos($type, '#')) !== false)
{
$append .= substr($type, $hashPos);
}

$outputLink = 'admin.php' . ($append !== '' ? '?' : '') . $append;
if ($fullLink)
{
$outputLink = $fullLinkPrefix . $outputLink;
}

return $outputLink;
}

You can see this line in there which specifies the file name:

$outputLink = 'admin.php' . ($append !== '' ? '?' : '') . $append;

If you change the file name here and then rename the file on your server then that will change the location of the Admin CP.

If you post a request in this forum then maybe some one can make an addon for this so you don't have to edit the files.

See if that helps, but you'll lose it during upgrades unless it can be converted to an add-on.

 

[dvox]

See if that helps, but you'll lose it during upgrades unless it can be converted to an add-on.

That is exactly what I was looking for. In fact, your suggestion about posting it as a potential add-on is a great one.

There is another good reason for such an add-on capability.
I see the hacker-bots attempting to brute force attack various PHP scripts all the time (coming from spoofed IPs).

They will look for things like phpMyAdmin that might be an older version that they can exploit and the bots will scan for every
possible common naming convention. In the past I have installed various packages and stayed far away from the default
name conventions for that reason.

It's not meant to be a perfect security solution but anything that slows them down or give you an alert that there is an
attempted compromise occurring is helpful.

 

[dvox]

See if that helps, but you'll lose it during upgrades unless it can be converted to an add-on.

Thanks again James. That change worked perfectly so far.

I posted that add-on request as well.

My only concern is that there are other references to admin.php. If I have any other problems I may update them as well.

In the event that it looks like an update of those other files are needed, I am posting those other references below:

install/data/templates.xml: <a href="admin.php" class="acp adminLink"><span class="itemLabel">{xenhrase admin_control_panel}</span></a>
install/data/templates.xml: <a href="admin.php">{xenhrase reopen_via_admin_control_panel}</a>
install/templates/install_complete.php: <p class="text"><a href="../admin.php" class="button primary">Enter your control panel</a></p>
install/templates/upgrade_complete.php: <p class="text"><a href="../admin.php" class="button primary">Enter your control panel</a></p>
install/templates/upgrade_login.php: <form action="../admin.php?login/login" method="post" class="xenForm">
js/xenforo/xenforo.js: XenForo.AutoComplete.defaultUrl = 'admin.php?users/search-name&_xfResponseType=json';

Does anything jump out to anyone that looks like an update of all these should be done?
I mean it's easy enough to just edit six more files but James is right about an add-on being a more elegant solution.

 

[James]

That's odd, all of XenForo's internal links usually use the {xen:link} function. If the links are hard-coded, you'll have to edit them manually.

Dvox, you might want to keep an eye on this thread:
http://xenforo.com/community/threads/which-code-event-listener-listens-to-link-php.15984/

 

[Jake Bunce]

I tested that modification when I made the post. Changing that one line of code updates all links within the Admin CP. That is the only change that is required. The other instances are just shortcuts to get to the Admin CP, like this one at the top of the forum:



You can just manually visit the new URL when you need to visit the Admin CP, rather than use the shortcut.

 

[Kaan SAKA]

I tested that modification when I made the post. Changing that one line of code updates all links within the Admin CP. That is the only change that is required. The other instances are just shortcuts to get to the Admin CP, like this one at the top of the forum:

View attachment 15067

You can just manually visit the new URL when you need to visit the Admin CP, rather than use the shortcut.

Is there any other way to change this ?
I cant find a way to change this manually ?