I have seemed to have created myself another problem where as when someone tries to login using [website]/users.php they get this message:
We're sorry, but we could not fulfill your request for /users.php on this server.
You do not have permission to access this server. Data may not be posted from offsite forms
logging into the site using [website] works just fine.
Removed the .htaccess and still same thing. users.php Permissions are 644 and non-root.non-root
It is the Bad Behavior plugin. What is happening is they are probably using yoursitehere.com/users.php, but the $_CONF['site_url'] is www.yoursitehere.com, to the URL in the header doesn't match what is in the form.
What I've done is setup a redirect in Apache so anything to glfusion.org redirects to www.glfusion.org.
Testing by disabling Bad-behavior things did work.
I have multiple differnet domains pointed to the same site which are quite different than my apache site name that is set in the gl_conf_values (site_url and site_admin_url). Guess I had better learn about doing redirects in apache.
On another note: I had in the past dropped the site_url and site_admin_url too:
site_url = s:0:""
site_admin_url = s:6:"/admin"
to enable access to the site, which sits in a outside DMZ, from internal trusted network. This kinda works as several admin functions do not work.
Not sure what the interaction would be with Bad_behavior as well.
Looking at mod_alias and mod_rewrite for Redirect it seems that mod_alias is the simpler: "redirect permanent / www.[sitename.org]"
I can see in the apache 2.2 doc's docs of redirect changing things like resources but not URL's i.e. "redirect permanent /file-resource-1 www.[sitename.org]/file-resource-2"
I did not see anything that redirects [sitename.org] to www.[sitename.org] unless that is the first above redirect permanent statement?
Looking at mod_rewrite I did find a nice rule to change incoming http sessions to https which direct users into an SSL environment. (thank you CA-Cert.org for those server.crt's)
This is all new to me. Currently that only way I can get things to work is to disable Bad-behavior (which I did not want to do). I don't think this was an issue back in 1.0.2 or ealier (I could be wrong).
Well the Rewrite rule does force the https session. It breaks the login (form flow?). To bad as I really like working in a secure connection.
I recreated the server.crt to match the site fully qualified url and now everything matches. I enabled Bad-behavior plugin and its all seems to work.
I keep digging a new hole. as originally I could start an X session on the servers console and login to the site (which resides on the box's localhost) using localhost or 127.0.0.1 to connect. Now it tries to go out to the web looking for www.[sitename].org which means most likely its a /etc/hosts resolution fix on the local machine
I would really like to see/learn the proper method to redirect a series of different incoming url's to a single local url.