Update nginx + Apache configuration to prevent access to internal files

.github/workflows/ci.yml

@@ -134,6 +134,8 @@ jobs:
       - run: docker run -d -p 80:80 --link $(docker ps -qn1):php -v "$PWD/tests/integration/":/home/framework-x/ -v "$PWD"/tests/integration/nginx-fpm.conf:/etc/nginx/conf.d/default.conf nginx:stable-alpine
       - run: bash tests/await.sh http://localhost
       - run: bash tests/integration.bash http://localhost
+      - run: docker logs $(docker ps -qn1)
+        if: ${{ always() }}
 
   Apache-webserver:
     name: Apache webserver (PHP ${{ matrix.php }})
@@ -158,6 +160,8 @@ jobs:
       - run: docker run -d -p 80:80 -v "$PWD/tests/integration/":/home/framework-x/ php:${{ matrix.php }}-apache sh -c "rmdir /var/www/html;ln -s /home/framework-x/public /var/www/html;ln -s /etc/apache2/mods-available/rewrite.load /etc/apache2/mods-enabled; apache2-foreground"
       - run: bash tests/await.sh http://localhost
       - run: bash tests/integration.bash http://localhost
+      - run: docker logs $(docker ps -qn1)
+        if: ${{ always() }}
 
   PHP-webserver:
     name: PHP webserver (PHP ${{ matrix.php }})

docs/best-practices/deployment.md

@@ -70,6 +70,12 @@ server {
         try_files $uri $uri/ /index.php$is_args$args;
     }
 
+    # Optional: handle Apache config with Framework X if it exists in `public/` directory
+    error_page 403 = /index.php;
+    location ~ \.htaccess$ {
+        deny all;
+    }
+
     location ~ \.php$ {
         fastcgi_pass localhost:9000;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
@@ -186,6 +192,9 @@ RewriteCond %{REQUEST_FILENAME} !-d
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule .* index.php
 
+# Optional: handle `.htaccess` with Framework X instead of `403 Forbidden`
+ErrorDocument 403 /%{REQUEST_URI}/../index.php
+
 # This adds support for authorization header
 SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
 ```

tests/integration.bash

@@ -20,9 +20,13 @@ skipif() {
 }
 
 out=$(curl -v $base/ 2>&1);         match "HTTP/.* 200" && match -iP "Content-Type: text/plain; charset=utf-8[\r\n]"
-out=$(curl -v $base/invalid 2>&1);  match "HTTP/.* 404" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"
-out=$(curl -v $base// 2>&1);        match "HTTP/.* 404"
-out=$(curl -v $base/ 2>&1 -X POST); match "HTTP/.* 405"
+out=$(curl -v $base/ 2>&1 -X POST); match "HTTP/.* 405" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"
+
+out=$(curl -v $base/unknown 2>&1);      match "HTTP/.* 404" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"
+out=$(curl -v $base/index.php 2>&1);    match "HTTP/.* 404" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"
+out=$(curl -v $base/.htaccess 2>&1);    match "HTTP/.* 404" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"
+out=$(curl -v $base// 2>&1);            match "HTTP/.* 404" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"
+
 out=$(curl -v $base/error 2>&1);        match "HTTP/.* 500" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]" && match "<code>Unable to load error</code>"
 out=$(curl -v $base/error/null 2>&1);   match "HTTP/.* 500" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"
 

tests/integration/nginx-fpm.conf

@@ -6,6 +6,12 @@ server {
         try_files $uri $uri/ /index.php$is_args$args;
     }
 
+    # Optional: handle Apache config with Framework X if it exists in `public/` directory
+    error_page 403 = /index.php;
+    location ~ \.htaccess$ {
+        deny all;
+    }
+
     location ~ \.php$ {
         fastcgi_pass php:9000;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;

tests/integration/public/.htaccess

@@ -4,5 +4,8 @@ RewriteCond %{REQUEST_FILENAME} !-d
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule .* index.php
 
+# Optional: handle `.htaccess` with Framework X instead of `403 Forbidden`
+ErrorDocument 403 /%{REQUEST_URI}/../index.php
+
 # This adds support for authorization header
 SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0