Gallery 3 runs on Windows 2008 R2 x64 and IIS 7.5

Aren Cambre

Joined: 2007-09-27
Posts: 58
Posted: Tue, 2009-08-18 17:22

I got Gallery 3 running on IIS 7.5 on Windows 2008 x64 R2. See http://arencambre.com/blog/2009/08/18/gallery-3-windows-2008-r2-and-iis-7/.

It was much easier than I recall with PHP 5.2 or IIS 6, and Windows 7's URL Rewrite module is a nice addition.

Now if some API could be released... :-)

 
lvthunder

Joined: 2003-09-12
Posts: 808
Posted: Tue, 2009-08-18 20:20

What about the .htaccess stuff that prevents people from getting into the var directory. If you remove the full size permission g3 creates more .htaccess files to protect your images.

 
nivekiam
nivekiam's picture

Joined: 2002-12-10
Posts: 16504
Posted: Tue, 2009-08-18 20:36

Which is exactly why only Apache is supported for a web server.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

 
Aren Cambre

Joined: 2007-09-27
Posts: 58
Posted: Tue, 2009-08-18 20:57
lvthunder wrote:
What about the .htaccess stuff that prevents people from getting into the var directory. If you remove the full size permission g3 creates more .htaccess files to protect your images.

That seems backwards. .htaccess is web server configuration and generally shouldn't be used for "run of the mill" app configuration. Usually it's set once and only changed for major application changes. Everything else should be in application logic.

 
lvthunder

Joined: 2003-09-12
Posts: 808
Posted: Tue, 2009-08-18 21:14
Aren Cambre wrote:
That seems backwards. .htaccess is web server configuration and generally shouldn't be used for "run of the mill" app configuration. Usually it's set once and only changed for major application changes. Everything else should be in application logic.

Backwards or not that's the way it is. Take a look at the G3 FAQ.

 
nivekiam
nivekiam's picture

Joined: 2002-12-10
Posts: 16504
Posted: Tue, 2009-08-18 21:16
Quote:
Everything else should be in application logic.

That's the way it is in G2 and it's a decent performance hit. Using .htaccess is the way it was decided upon in G3. That's why ONLY Apache, Linux and MySQL are supported. We are taking advantage of specific technologies on those platforms. If it runs under anything else, good, but it's not supported and you'll probably hear (at least from me) "Windows isn't supported" and even more so "IIS isn't supported". Windows issue that I think can be worked around, I might spend some time on helping. IIS issues, how ever minor I think it may be, I won't even spend 1/2 a second considering helping, I just won't :) I don't like IIS and, now that it's been decided that it's not supported, I'm not going to waste my time with it. Some other volunteer might, but I'm not.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

 
Aren Cambre

Joined: 2007-09-27
Posts: 58
Posted: Tue, 2009-08-18 21:21

Ok, I see this now:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule (.*) /gallery3/index.php/file_proxy/$1 [L]
</IfModule>
<IfModule !mod_rewrite.c>
Order Deny,Allow
Deny from All
</IfModule>

As long as all files are proxied and no hint is given to the user of the file's path or name on the file system (which I think would be a best practice in any web-proxied filesystem), you may have a reasonable security scheme with IIS since directory browsing is denied by default. Someone would have to guess the file's full web path to get to it.

However, ideal security would have all files in a part of the filesystem that is not browseable. And that could be done by adding a web.config instead of (in addition to?) the .htaccess. Here's that directory's web.config for my server:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Imported Rule 1-1" stopProcessing="true">
<match url="(.*)" ignoreCase="false" />
<action type="Rewrite" url="/gallery3/index.php/file_proxy/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>

 
lvthunder

Joined: 2003-09-12
Posts: 808
Posted: Tue, 2009-08-18 21:24
nivekiam wrote:
Quote:
Everything else should be in application logic.

That's the way it is in G2 and it's a decent performance hit. Using .htaccess is the way it was decided upon in G3. That's why ONLY Apache, Linux and MySQL are supported. We are taking advantage of specific technologies on those platforms. If it runs under anything else, good, but it's not supported and you'll probably hear (at least from me) "Windows isn't supported" and even more so "IIS isn't supported". Windows issue that I think can be worked around, I might spend some time on helping. IIS issues, how ever minor I think it may be, I won't even spend 1/2 a second considering helping, I just won't :) I don't like IIS and, now that it's been decided that it's not supported, I'm not going to waste my time with it. Some other volunteer might, but I'm not.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

No one in this thread is asking you to help. Apache, Linux, and MySQL are supported not really because of specific technologies, but because the dev team just didn't want to put in provisions for them. I was on the devel list when those decisions were made. No one said we want to use such and such technology. They just said we want to make it easier for us (understandable) and not support anything but the LAMP stack.

I just wanted to let Aren and anyone else seeing this thread know that there might be an image security problem using his IIS approach.

 
nivekiam
nivekiam's picture

Joined: 2002-12-10
Posts: 16504
Posted: Tue, 2009-08-18 21:49
Quote:
As long as all files are proxied and no hint is given to the user of the file's path or name on the file system (which I think would be a best practice in any web-proxied filesystem), you may have a reasonable security scheme with IIS since directory browsing is denied by default.

Yes doing that would force all requests for images through the proxy. I've actually played with that idea to use Lighttpd instead of Apache for use on my server and still be able to use G3's permission system.

Quote:
Someone would have to guess the file's full web path to get to it.

The path is www.example.com/gallery3/var/albums :) You don't need to know the file system path. The "image firewall" does not exist in G3 like it does in G2.

But if it's got the rewrite rule in .htaccess, even if you try to access the image directly you'll be redirected through the file_proxy and won't get the image if you don't have access anyway.

One down side to redirecting all traffic through the proxy as it's currently designed (as far as I can tell) is that you wouldn't be able to hotlink to images on forums and such like you can with G2. But I guess you could hand edit those .htaccess files a bit more. I don't know if G3 will just wipe any changes you make to .htaccess if you change permissions through G3's UI. Oh, just tested, yes, G3 will wipe out any changes you manually make to the .htaccess file.

Quote:
However, ideal security would have all files in a part of the filesystem that is not browseable. And that could be done by adding a web.config instead of (in addition to?) the .htaccess. Here's that directory's web.config for my server:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Imported Rule 1-1" stopProcessing="true">
<match url="(.*)" ignoreCase="false" />
<action type="Rewrite" url="/gallery3/index.php/file_proxy/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>

I don't think that would work with Apache, but I think you'd be editing httpd.conf. Is what you posted the equivalent of httpd.conf for Apache? But if that does work with IIS, please add it to the documentation, you'll need to create a new page:
http://codex.gallery2.org/Category:Gallery_3

____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

 
Aren Cambre

Joined: 2007-09-27
Posts: 58
Posted: Tue, 2009-08-18 22:16
nivekiam wrote:
The path is www.example.com/gallery3/var/albums :) You don't need to know the file system path. The "image firewall" does not exist in G3 like it does in G2.

That's not the full path. You still have to know the album name and file name--although now that I look more, maybe those are easier to guess than I realized. :-( But if a fully-proxied filesystem was adopted, all media assets could be dumped in one directory and have GUIDs for their names.

nivekiam wrote:
One down side to redirecting all traffic through the proxy as it's currently designed (as far as I can tell) is that you wouldn't be able to hotlink to images on forums and such like you can with G2.

No, as long as the proxy has a unique URL for each image, there should be no problem.

nivekiam wrote:
But I guess you could hand edit those .htaccess files a bit more. I don't know if G3 will just wipe any changes you make to .htaccess if you change permissions through G3's UI. Oh, just tested, yes, G3 will wipe out any changes you manually make to the .htaccess file.

Man, I just don't have a good feeling about this. I am not comfortable with apps that can configure my web server like that. I am OK with a .htaccess being included in the app's filesystem but far less comfortable with apps that freely create or modify .htaccess files.

nivekiam wrote:
Quote:
However, ideal security would have all files in a part of the filesystem that is not browseable. And that could be done by adding a web.config instead of (in addition to?) the .htaccess. Here's that directory's web.config for my server:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Imported Rule 1-1" stopProcessing="true">
<match url="(.*)" ignoreCase="false" />
<action type="Rewrite" url="/gallery3/index.php/file_proxy/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>

I don't think that would work with Apache, but I think you'd be editing httpd.conf. Is what you posted the equivalent of httpd.conf for Apache?

Correct, won't work with Apache. But web.config is the IIS analogue to .htaccess. A kludgy solution could be to write both files to the filesystem, but that may make LAMP purists soil their panties.

 
rWatcher
rWatcher's picture

Joined: 2005-09-06
Posts: 722
Posted: Wed, 2009-08-19 04:37

Does this mean its currently impossible for Gallery 3 to restrict access to images in var/albums when running on an IIS server?

 
nivekiam
nivekiam's picture

Joined: 2002-12-10
Posts: 16504
Posted: Wed, 2009-08-19 05:08

Not just IIS, but any server that is not Apache or doesn't use URL Rewriting and .htaccess exactly like Apache does, which I believe is only Apache.

You can use the modification that Aren posted above. For Lighttpd you should be able to use a similar concept in lighttpd.conf or for nginx where ever you configure rewriting. I think the same Could be done for any other server that supports rewriting of some sort. Since that's a pretty simple rule I'd think you'd be able to configure any server that supports rewriting to do that. It's just most likely going to be that you have to force ALL thumbs, resized and full sizes through the file_proxy instead of being selective if you've only set permissions on a few albums.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

 
rWatcher
rWatcher's picture

Joined: 2005-09-06
Posts: 722
Posted: Wed, 2009-08-19 05:40

So lets say that I set up two test albums, lets call them Album 1 and Album 2. Lets say that I then go into the permissions for Album 2 and set it so that only registered users can view a picture's full size. If I then upload a picture into each album, and manually point the web browser to the picture's location in var/albums , Album 1 works like you'd expect (the picture is viewable):
http://eric2001.brinkster.net/gallery3/var/albums/Album_1/scantron.png
And the Album 2 picture doesn't load (Gallery error message):
http://eric2001.brinkster.net/gallery3/var/albums/Album_2/scantron.png

As far as I can tell I'm on an IIS server -- phpinfo.php

Quote:
Microsoft-IIS/6.0

It seems to me that Gallery is restricting access to the second image, would that not be considered normal behavior then?

 
Aren Cambre

Joined: 2007-09-27
Posts: 58
Posted: Wed, 2009-08-19 13:28

Since phpinfo() reveals web server type, Gallery could determine if a server is IIS and use the web.config file specified above instead of .htaccess.

But that would require a more mature non-LAMP support policy than "nannny nanny boo boo, stick your head in doo doo."

The "nothing but LAMP" stance is especially baffling given Microsoft's overtures to Gallery2, making it one of the top 3 PHP apps they promote on their PHP on IIS7 main page.

 
nivekiam
nivekiam's picture

Joined: 2002-12-10
Posts: 16504
Posted: Wed, 2009-08-19 13:56

rWatcher, perhaps IIS is reading the .htaccess file, I have no idea. I've not used IIS very much to really know it.

Quote:
But that would require a more mature non-LAMP support policy than "nannny nanny boo boo, stick your head in doo doo."

It has nothing to do with that. It has to do with there isn't a single person on the Gallery core team that knows IIS (or MS SQL, etc) to support them. If you want to dedicate hours every week for the next several years, 5+?, while G3 exists, to being the sole programmer and support person for windows support then there's something that can be talked about. But so far it's just been a few people making some noise and nobody really stepping up to the plate.

We've already been to this show with G2. It was a tremendous amount of work to support multiple platforms. G2 includes the kitchen sink, G3 has more focus :)
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

 
Aren Cambre

Joined: 2007-09-27
Posts: 58
Posted: Wed, 2009-08-19 14:08
nivekiam wrote:
If you want to dedicate hours every week for the next several years, 5+?, while G3 exists, to being the sole programmer and support person for windows support then there's something that can be talked about. ... G2 includes the kitchen sink, G3 has more focus :)

I appreciate G3's focus very much. But the IIS support landscape has changed drastically since G2: IIS 7 is out, Microsoft is making a large push to support PHP, and PHP 5.3 has significant Windows support improvements.

So far we found one easy-to-resolve IIS issue. Everything else just works.

 
nivekiam
nivekiam's picture

Joined: 2002-12-10
Posts: 16504
Posted: Wed, 2009-08-19 15:17

Well that's the beauty of git. You can fork the main code, make changes and it's pretty easy to implement new changes from the main code into your fork.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

 
Aren Cambre

Joined: 2007-09-27
Posts: 58
Posted: Wed, 2009-08-19 15:26
nivekiam wrote:
Well that's the beauty of git. You can fork the main code, make changes and it's pretty easy to implement new changes from the main code into your fork.

Unfortunately, that's still the non-LAMP support policy of "nannny nanny boo boo, stick your head in doo doo." :-)

 
rWatcher
rWatcher's picture

Joined: 2005-09-06
Posts: 722
Posted: Thu, 2009-08-27 01:25
lvthunder wrote:
What about the .htaccess stuff that prevents people from getting into the var directory. If you remove the full size permission g3 creates more .htaccess files to protect your images.

If anyone's interested, I've figured out why my IIS web host is able to use .htaccess files. It seems they have a module called "ISAPI_Rewrite" installed on the servers, which "is compatible with Apache mod_rewrite syntax, which makes it possible to move configurations from Apache to IIS and vice versa just by copying .htaccess files". More information on it can be found here. It's probably worth noting that this module is definitely not free, but it does seem to work as a solution to the IIS/Gallery/.htaccess issue.

 
Aren Cambre

Joined: 2007-09-27
Posts: 58
Posted: Thu, 2009-08-27 01:11

We use it at work. It's a good module, but like you say it's not free at all, plus you may have trouble getting shared hosts to support it if they don't do so already.

 
sdm395

Joined: 2009-10-02
Posts: 1
Posted: Fri, 2009-10-02 17:46

Just in case this helps anyone...

I deployed Gallery3 on my webhosts IIS server (brinkster - pro account), which also use the HeliconTech mod_rewrite.
I came across an issue where when trying to edit permissions on an album I got the following message
"Oh no! Your server needs a configuration change in order for you to hide photos!"

A bit of digging later, and it turns out that gallery tries to validate your htaccess settings by creating the following directory
gallery3/var/temp/security_test
It then creates a .htaccess file with a simple rewrite and a file called "success" to redirect to.
It hits a url, and checks that the "success" file is served up properly.

However, my webhost does not support serving up files without an extension, so this fails - resulting in the above error message.

The following change makes it work.

in gallery3/modules/gallery/helpers/access.php

change line 642 from

$success_url = url::file("var/tmp/security_test/success");

to

$success_url = url::file("var/tmp/security_test/success.html");

and line 651 from

if ($fp = @fopen(VARPATH . "tmp/security_test/success", "w+")) {

to

if ($fp = @fopen(VARPATH . "tmp/security_test/success.html", "w+")) {
 
rWatcher
rWatcher's picture

Joined: 2005-09-06
Posts: 722
Posted: Sat, 2009-10-03 18:25
sdm395 wrote:
I deployed Gallery3 on my webhosts IIS server (brinkster - pro account), which also use the HeliconTech mod_rewrite.
I came across an issue where when trying to edit permissions on an album I got the following message
"Oh no! Your server needs a configuration change in order for you to hide photos!"

I get that error too (also using a IIS/brinkster pro account). As far as I can tell, Gallery still hides albums and blocks access to full size photos despite this error message, so I've just been ignoring it. But it's nice to be able to make the error go away, so thanks for figuring out the issue :)

I've created a ticket for you here:
http://sourceforge.net/apps/trac/gallery/ticket/830
Maybe someone will incorporate this back into Gallery.

 
itopman

Joined: 2009-10-13
Posts: 2
Posted: Tue, 2009-10-13 20:08

Hi.. I am new to web site and have just installed the win2k8r2 version and followed the procedure (http://arencambre.com/blog/2009/08/18/gallery-3-windows-2008-r2-and-iis-7/comment-page-1/#comment-42789) but when i try to follow item; 6.Visit http://localhost/phpmyadmin, sign in using your MySql’s root account it fails to load the login page giving the following error:

Error Summary
HTTP Error 403.14 – Forbidden
The Web server is configured to not list the contents of this directory. Detailed Error Information
Module DirectoryListingModule
Notification ExecuteRequestHandler
Handler StaticFile
Error Code 0×00000000
Requested URL http://localhost:80/phpmyadmin/
Physical Path C:\inetpub\wwwroot\phpmyadmin\
Logon Method Anonymous
Logon User Anonymous

I did post this and another error on that website but was directed here

an you help please

 
m1byo

Joined: 2010-09-06
Posts: 4
Posted: Mon, 2010-09-06 15:05

I have managed to get this working on Server 2003, IIS 6 and HeliconTech APE Free Version, I know it is working because the index.php fix is working well!

How do you tell that the full size files are getting blocked as I have found that I can still access the full size files if right click the image and click properties then copy the path to the adddress bar.

Thanks for the help.

Ian

 
okutbay

Joined: 2010-12-09
Posts: 8
Posted: Thu, 2010-12-09 11:37

i get internal server error when i try to browse web site with out including index.php

i also try to a new re-write rule to handle all requests but it did not work.

<rule name="Main Rule" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
</conditions>
<action type="Rewrite" url="index.php" />
</rule>

 
nivekiam
nivekiam's picture

Joined: 2002-12-10
Posts: 16504
Posted: Thu, 2010-12-09 17:32

Try this FAQ:
http://codex.gallery2.org/Gallery3:Installation_on_Windows_Server_2008_and_IIS7
____________________________________________
Like Gallery? Like the support? Donate now!