Skip to content

Commit

Permalink
Update nginx + Apache configuration to prevent access to internal files
Browse files Browse the repository at this point in the history
  • Loading branch information
clue committed Mar 5, 2024
1 parent 1723f85 commit a3fffcf
Show file tree
Hide file tree
Showing 4 changed files with 25 additions and 3 deletions.
9 changes: 9 additions & 0 deletions docs/best-practices/deployment.md
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,12 @@ server {
try_files $uri $uri/ /index.php$is_args$args;
}
# Optional: handle Apache config with Framework X if it exists in `public/` directory
error_page 403 = /index.php;
location ~ \.htaccess$ {
deny all;
}
location ~ \.php$ {
fastcgi_pass localhost:9000;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
Expand Down Expand Up @@ -186,6 +192,9 @@ RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule .* index.php
# Optional: handle `.htaccess` with Framework X instead of `403 Forbidden`
ErrorDocument 403 /%{REQUEST_URI}/../index.php
# This adds support for authorization header
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
```
Expand Down
10 changes: 7 additions & 3 deletions tests/integration.bash
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,13 @@ skipifnot() {
}

out=$(curl -v $base/ 2>&1); match "HTTP/.* 200" && match -iP "Content-Type: text/plain; charset=utf-8[\r\n]"
out=$(curl -v $base/invalid 2>&1); match "HTTP/.* 404" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"
out=$(curl -v $base// 2>&1); match "HTTP/.* 404"
out=$(curl -v $base/ 2>&1 -X POST); match "HTTP/.* 405"
out=$(curl -v $base/ 2>&1 -X POST); match "HTTP/.* 405" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"

out=$(curl -v $base/unknown 2>&1); match "HTTP/.* 404" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"
out=$(curl -v $base/index.php 2>&1); match "HTTP/.* 404" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"
out=$(curl -v $base/.htaccess 2>&1); match "HTTP/.* 404" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"
out=$(curl -v $base// 2>&1); match "HTTP/.* 404" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"

out=$(curl -v $base/error 2>&1); match "HTTP/.* 500" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]" && match "<code>Unable to load error</code>"
out=$(curl -v $base/error/null 2>&1); match "HTTP/.* 500" && match -iP "Content-Type: text/html; charset=utf-8[\r\n]"

Expand Down
6 changes: 6 additions & 0 deletions tests/integration/nginx-fpm.conf
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,12 @@ server {
try_files $uri $uri/ /index.php$is_args$args;
}

# Optional: handle Apache config with Framework X if it exists in `public/` directory
error_page 403 = /index.php;
location ~ \.htaccess$ {
deny all;
}

location ~ \.php$ {
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
Expand Down
3 changes: 3 additions & 0 deletions tests/integration/public/.htaccess
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,8 @@ RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule .* index.php

# Optional: handle `.htaccess` with Framework X instead of `403 Forbidden`
ErrorDocument 403 /%{REQUEST_URI}/../index.php

# This adds support for authorization header
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

0 comments on commit a3fffcf

Please sign in to comment.