Problem with campaign tracking that goes through index.php in v5.1

[jussik]

Hi all,
In SugarCRM 5.1 the campaing tracking has been refactored to go through index.php.
In earlier versions this went through campaign_tracker2v.php and removeme.php. Our people don't feel comfortable exposing the index.php to the rest of the world so is there any possibilty to get the functionality like in the previous version that campaing tracking goes through another file.

There is a setting:
Location of campaign tracking files (like campaign_tracker.php)
so I can change the base url that sugar generates for tracker urls but what files should I but in this url in 5.1 version?
The campaign_trackerv2.php and removeme.php are just direct links to index.php.

Is it possible to use the php files from previous version or from modules/Campaigns/Tracker.php somehow and add them to include/MVC/Controller/entry_point_registry.php?

Thanks for any ideas..

[shareaholic]

does this have something to do with post-upgrade campaign status display problems? (described here: http://www.sugarcrm.com/forums/showthread.php?t=37750)
I mean whether the latter are result of re-factored campaign tracking functionality in 5.1

[shareaholic]

yep, campaign status display seems not to be working because of the problem described by jussik

was (5.0.0g): {LOCATION OF TRACKING FILES}/campaign_trackerv2.php?track=15e9bcde-8e38-6587-66cb-4909bfdfc592&identifier=ad7242fc-2a43-28ba-899e-4909ce5b9d97

now (5.1b): {SUGARCRM LOCATION}/index.php?entryPoint=campaign_trackerv2&track=a87c 5a97-1f67-d4da-92e6-4909bf5acd1b&identifier=1d50a57b-6b11-7768-b583-491051cb8fe0

Does that really imply that to campaign from firewalled installation one have to expose index.php online?

[RMoher]

I'm running into problems with this also in 5.1.0b, where I have the install on a firewalled server, and I want to put the campaign tracker files at an external (outside the firewall) location. Has anyone addressed this yet?

In addition, I'm also having problems with:

- Sugar installation is on internal server (http://localserver/sugar)
- External tracking files (image.php, removeme.php, andcampaign_trackerv2.php) are moved (not copied) to an external location at http://www.teambarcode.com/trackerfiles/ - This URL is specified in Admin-> Campaign Email Settings -> Location of campaign tracking files -> User Defined. These are the three files specified in the Sugar Help documentation.

When I send an email with trackers, the tracker URL does not work. It seems to want to append the local address to the front of the URL - here's what I get:

http://localserver/sugar/http:/www.t...a-49490dcf9e71

1. Why is it referencing the address of the internal server, where Sugar resides, at the beginning of the URL? How do I stop that?

2. Why is it also looking for index.php at the external location (teambarcode.com/trackerfiles)? The documentation does not specify that file needing to be there.

Any help would be appreciated, I do need to get this going.....

[edub]

I haven't implemented this code yet, but this is what I am planning on using to resolve this issue:

if ($_REQUEST['entryPoint'] == 'removeme' || $_REQUEST['entryPoint'] == 'campaign_trackerv2' || $_REQUEST['entryPoint'] == 'image') {
if (strlen($_REQUEST['identifier']) == 36) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://www.publicserver.com/index.php?entryPoint=" . $_REQUEST['entryPoint'] . "&identifier=" . $_REQUEST['identifier']);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec($ch);
curl_close($ch);
unset($ch);
}
}

Can someone laugh check this for me to make sure this would be a secure method to achieve having this file on a public server called index.php and have it be able to access the private/behind firewall version of sugar while not exposing the entire Sugar to the public?

[edub]

I made a slight modification to it and have tested it in production and it works:
if ($_REQUEST['entryPoint'] == 'removeme' || $_REQUEST['entryPoint'] == 'campaign_trackerv2' || $_REQUEST['entryPoint'] == 'image') {
if (strlen($_REQUEST['identifier']) == 36) {
$ch = curl_init();
if (strlen($_REQUEST['track']) > 0) {
curl_setopt($ch, CURLOPT_URL, "http://www.publicserver.com/sugarcrm/index.php?entryPoint=" . $_REQUEST['entryPoint'] . "&identifier=" . $_REQUEST['identifier'] . "&track=" . $_REQUEST['track']);
} else {
curl_setopt($ch, CURLOPT_URL, "http://www.publicserver.com/sugarcrm/index.php?entryPoint=" . $_REQUEST['entryPoint'] . "&identifier=" . $_REQUEST['identifier']);
}
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec($ch);
curl_close($ch);
unset($ch);
}
}

[edub]

This needs some more work, because it isn't actually redirecting the user for tracker url's, it is just displaying the content of the redirected web page.

[edub]

this is much more complicated now, but I think this works:
if ($_REQUEST['entryPoint'] == 'removeme' || $_REQUEST['entryPoint'] == 'campaign_trackerv2' || $_REQUEST['entryPoint'] == 'image') {
if (strlen($_REQUEST['identifier']) == 36) {
$ch = curl_init();
if (strlen($_REQUEST['track']) > 0) {
curl_setopt($ch, CURLOPT_URL, "http://www.public.net/sugarcrm/index.php?entryPoint=" . $_REQUEST['entryPoint'] . "&identifier=" . $_REQUEST['identifier'] . "&track=" . $_REQUEST['track']);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
$headers = curl_exec($ch);
$headerArray = explode("\n",$headers);
foreach ($headerArray as $value) {
if (substr($value,0,8) == "Location") {
header($value);
}
}
} else {
curl_setopt($ch, CURLOPT_URL, "http://www.public.net/sugarcrm/index.php?entryPoint=" . $_REQUEST['entryPoint'] . "&identifier=" . $_REQUEST['identifier']);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
curl_exec($ch);
}
curl_close($ch);
unset($ch);
}
}

basically if it does not contain track then it works like it use to and just either displays the image or it displayes the remove me text, and if it does contain a track then it parses the headers from sugar to find the location to forward them to and then forwards them to that location. I'm thinking this could be more elegant, but this seems to work.

[Antag]

Im a little unclear and hope you can clarify, Where is it that you put that code you added? Did you make a new index.php on the external website and use that code for it or what?

[brilovett]

After spending over 40 hours trying to figure this out, I think I have a variation on this solution that might be useful for those in a hosted environment. I've tested it and it seems to work. If anyone can find any problems or security issues, please post them as I'm not an expert with this and figured it out only through significant research and trial-and-error.

Create an index.php file that you will put in a directory that is accessible to the public with the following (thanx to edub for this code):

Code:

<?php
$hidden_URL = "http://www.[location of your SugarCRM index.php file that is protected]/index.php?entryPoint=";
$usrpsswd = "username:password";

if ($_REQUEST['entryPoint'] == 'removeme' || $_REQUEST['entryPoint'] == 'campaign_trackerv2' || $_REQUEST['entryPoint'] == 'image') {
	if (strlen($_REQUEST['identifier']) == 36) {
		$ch = curl_init();
			if (strlen($_REQUEST['track']) > 0) {
				curl_setopt($ch, CURLOPT_URL, $hidden_URL . $_REQUEST['entryPoint'] . "&identifier=" . $_REQUEST['identifier'] . "&track=" . $_REQUEST['track']);
				curl_setopt($ch, CURLOPT_HEADER, 1);
				curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
				curl_setopt($ch, CURLOPT_USERPWD, $usrpsswd);
				curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
				curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
				$headers = curl_exec($ch);
				$headerArray = explode("\n",$headers);
				foreach ($headerArray as $value) {
					if (substr($value,0,8) == "Location") {
						header($value);
					}
				}
			} else {
				curl_setopt($ch, CURLOPT_UNRESTRICTED_AUTH, 1);
				curl_setopt($ch, CURLOPT_URL, $hidden_URL . $_REQUEST['entryPoint'] . "&identifier=" . $_REQUEST['identifier']);
				curl_setopt($ch, CURLOPT_HEADER, 0);
				curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
				curl_setopt($ch, CURLOPT_USERPWD, $usrpsswd);
				curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
				curl_exec($ch);
			}
		curl_close($ch);
		unset($ch);
	}
}
?>

Modify the .htaccess file that comes with SugarCRM by adding the following lines before what's ever already there (or put it in a root directory and specify the appropriate subdirectories in front of index.php?entryPoint below):

Code:

SetEnvIf Request_URI "(\index.php?entryPoint=campaign_trackerv2)$" allow
SetEnvIf Request_URI "(\index.php?entryPoint=removeme)$" allow
SetEnvIf Request_URI "(\index.php?entryPoint=image)$" allow
Order allow,deny
Allow from env=allow

<Files *.*>
  Order deny,allow
  Deny from all
  Allow from [whatever your IP address is at your office/home]
</Files>

Satisfy any

# Disable directory browsing
Options -Indexes
AuthType Basic
AuthName "Authentication required"
require valid-user
AuthUserFile "[wherever your password files are]/passwd"

Effectively, the .htaccess file keeps the public out of your SugarCRM files but allows you to access them. Then edub's code with slight modifications for sending the username and password with curl allows the public to just use index.php, but only if it's one of the 3 entry points defined in the .htaccess file (i.e., they can't just bring up index.php because they'd be required to authenticate).

Hope that helps.

- B.

Edit: Just to clarify, you must go into the admin and choose the option "Campaign Email Settings: Configure." Then change "Location of campaign tracking files (like campaign_tracker.php) " to user-defined and enter the URL directory for the index.php that you created above.