Update nginx + Apache configuration to prevent access to internal files

clue-labs · Mar 5, 2024 · 9211be0 · 9211be0
1 parent 1723f85
commit 9211be0
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 3 deletions.
diff --git a/docs/best-practices/deployment.md b/docs/best-practices/deployment.md
@@ -70,6 +70,12 @@ server {
         try_files $uri $uri/ /index.php$is_args$args;
     }
 
+    # Optional: handle Apache config with Framework X if it exists in `public/`
+    error_page 403 = /index.php;
+    location ~ \.htaccess$ {
+        deny all;
+    }
+
     location ~ \.php$ {
         fastcgi_pass localhost:9000;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
@@ -186,6 +192,9 @@ RewriteCond %{REQUEST_FILENAME} !-d
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule .* index.php
 
+# Optional: handle `.htaccess` with Framework X instead of `403 Forbidden`
+ErrorDocument 403 /%{REQUEST_URI}/../index.php
+
 # This adds support for authorization header
 SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
 ```

diff --git a/tests/integration.bash b/tests/integration.bash
@@ -23,9 +23,13 @@ skipifnot() {
 }
 
 out=$(curl -v $base/ 2>&1);         match "HTTP/.* 200" && match -iP "Content-Type: text/plain; charset=utf-8[\r\n]"
-out=$(curl -v $base/invalid 2>&1);  match "HTTP/.* 404" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"
-out=$(curl -v $base// 2>&1);        match "HTTP/.* 404"
-out=$(curl -v $base/ 2>&1 -X POST); match "HTTP/.* 405"
+out=$(curl -v $base/ 2>&1 -X POST); match "HTTP/.* 405" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"
+
+out=$(curl -v $base/unknown 2>&1);      match "HTTP/.* 404" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"
+out=$(curl -v $base/index.php 2>&1);    match "HTTP/.* 404" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"
+out=$(curl -v $base/.htaccess 2>&1);    match "HTTP/.* 404" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"
+out=$(curl -v $base// 2>&1);            match "HTTP/.* 404" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"
+
 out=$(curl -v $base/error 2>&1);        match "HTTP/.* 500" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]" && match "<code>Unable to load error</code>"
 out=$(curl -v $base/error/null 2>&1);   match "HTTP/.* 500" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"
 

diff --git a/tests/integration/nginx-fpm.conf b/tests/integration/nginx-fpm.conf
@@ -6,6 +6,12 @@ server {
         try_files $uri $uri/ /index.php$is_args$args;
     }
 
+    # Optional: handle Apache config with Framework X if it exists in `public/`
+    error_page 403 = /index.php;
+    location ~ \.htaccess$ {
+        deny all;
+    }
+
     location ~ \.php$ {
         fastcgi_pass php:9000;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;

diff --git a/tests/integration/public/.htaccess b/tests/integration/public/.htaccess
@@ -4,5 +4,8 @@ RewriteCond %{REQUEST_FILENAME} !-d
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule .* index.php
 
+# Optional: handle `.htaccess` with Framework X instead of `403 Forbidden`
+ErrorDocument 403 /%{REQUEST_URI}/../index.php
+
 # This adds support for authorization header
 SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0