Skip to content

Commit

Permalink
Update nginx + Apache configuration to prevent access to internal files
Browse files Browse the repository at this point in the history
  • Loading branch information
clue committed Mar 4, 2024
1 parent fd04d21 commit d9b3c6e
Show file tree
Hide file tree
Showing 5 changed files with 29 additions and 3 deletions.
4 changes: 4 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,8 @@ jobs:
- run: docker run -d -p 80:80 --link $(docker ps -qn1):php -v "$PWD/tests/integration/":/home/framework-x/ -v "$PWD"/tests/integration/nginx-fpm.conf:/etc/nginx/conf.d/default.conf nginx:stable-alpine
- run: bash tests/await.sh http://localhost
- run: bash tests/integration.bash http://localhost
- run: docker logs $(docker ps -qn1)
if: ${{ always() }}

Apache-webserver:
name: Apache webserver (PHP ${{ matrix.php }})
Expand All @@ -158,6 +160,8 @@ jobs:
- run: docker run -d -p 80:80 -v "$PWD/tests/integration/":/home/framework-x/ php:${{ matrix.php }}-apache sh -c "rmdir /var/www/html;ln -s /home/framework-x/public /var/www/html;ln -s /etc/apache2/mods-available/rewrite.load /etc/apache2/mods-enabled; apache2-foreground"
- run: bash tests/await.sh http://localhost
- run: bash tests/integration.bash http://localhost
- run: docker logs $(docker ps -qn1)
if: ${{ always() }}

PHP-webserver:
name: PHP webserver (PHP ${{ matrix.php }})
Expand Down
9 changes: 9 additions & 0 deletions docs/best-practices/deployment.md
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,12 @@ server {
try_files $uri $uri/ /index.php$is_args$args;
}
# Optional: handle Apache config with Framework X if it exists in `public/` directory
error_page 403 /index.php;
location ~ \.htaccess$ {
deny all;
}
location ~ \.php$ {
fastcgi_pass localhost:9000;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
Expand Down Expand Up @@ -186,6 +192,9 @@ RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule .* index.php
# Optional: handle `.htaccess` with Framework X instead of `403 Forbidden`
ErrorDocument 403 /%{REQUEST_URI}/../index.php
# This adds support for authorization header
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
```
Expand Down
10 changes: 7 additions & 3 deletions tests/integration.bash
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,13 @@ skipif() {
}

out=$(curl -v $base/ 2>&1); match "HTTP/.* 200" && match -iP "Content-Type: text/plain; charset=utf-8[\r\n]"
out=$(curl -v $base/invalid 2>&1); match "HTTP/.* 404" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"
out=$(curl -v $base// 2>&1); match "HTTP/.* 404"
out=$(curl -v $base/ 2>&1 -X POST); match "HTTP/.* 405"
out=$(curl -v $base/ 2>&1 -X POST); match "HTTP/.* 405" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"

out=$(curl -v $base/unknown 2>&1); match "HTTP/.* 404" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"
out=$(curl -v $base/index.php 2>&1); match "HTTP/.* 404" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"
out=$(curl -v $base/.htaccess 2>&1); match "HTTP/.* 404" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"
out=$(curl -v $base// 2>&1); match "HTTP/.* 404" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"

out=$(curl -v $base/error 2>&1); match "HTTP/.* 500" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]" && match "<code>Unable to load error</code>"
out=$(curl -v $base/error/null 2>&1); match "HTTP/.* 500" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"

Expand Down
6 changes: 6 additions & 0 deletions tests/integration/nginx-fpm.conf
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,12 @@ server {
try_files $uri $uri/ /index.php$is_args$args;
}

# Optional: handle Apache config with Framework X if it exists in `public/` directory
error_page 403 /index.php;
location ~ \.htaccess$ {
deny all;
}

location ~ \.php$ {
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
Expand Down
3 changes: 3 additions & 0 deletions tests/integration/public/.htaccess
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,8 @@ RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule .* index.php

# Optional: handle `.htaccess` with Framework X instead of `403 Forbidden`
ErrorDocument 403 /%{REQUEST_URI}/../index.php

# This adds support for authorization header
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

0 comments on commit d9b3c6e

Please sign in to comment.