Dear all,
We are trying some changes regarding the web server configuration for V3.20 as we are pushing towards a stricter (and safer) standard to run the Chevereto application. We are aiming to restrict any orphan direct execution of
Your feedback is required as we need to know if the configuration is safe to push to the main release. This update will make your websites safer.
Apache HTTP Web server
Nginx Web server
Inside
Try it out and let us know if you encounter any issues.
Cheers,
Rodolfo.
We are trying some changes regarding the web server configuration for V3.20 as we are pushing towards a stricter (and safer) standard to run the Chevereto application. We are aiming to restrict any orphan direct execution of
.php files in the filesystem, which could lead to compromising in your systems.Your feedback is required as we need to know if the configuration is safe to push to the main release. This update will make your websites safer.
Apache HTTP Web server
.htaccess file:
Apache config:
ServerSignature Off
Options -Indexes
Options -MultiViews
# CORS header (avoids font rendering issues)(replace dev\.local with your domain\.com)
# SetEnvIf Origin ^(https?://.+\.dev\.local(?::\d{1,5})?)$ CORS_ALLOW_ORIGIN=$1
# Header append Access-Control-Allow-Origin %{CORS_ALLOW_ORIGIN}e env=CORS_ALLOW_ORIGIN
# Header merge Vary "Origin"
# Disable access to sensitive application files
<FilesMatch "composer\.(json|lock)|cli\.php|\.htaccess|\.gitignore">
<IfModule !mod_authz_core.c>
Order Allow,Deny
Deny from all
</IfModule>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</FilesMatch>
<IfModule mod_rewrite.c>
RewriteEngine On
# RedirectMatch 403 ^.*\.php$
# If you have problems with the rewrite rules remove the "#" from the following RewriteBase line
# You will also have to change the path to reflect the path to your Chevereto installation
# If you are using mod alias is likely that you will need this.
#RewriteBase /
# Image not found replacement
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule images/.+\.(gif|jpe?g|a?png|bmp|webp) content/images/system/default/404.gif [NC,L]
# PHP front controller
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
# Single PHP-entrypoint (disables direct access to .php files)
RewriteCond %{THE_REQUEST} ^.+?\ [^?]+\.php[?\ ] [NC]
RewriteRule \.php$ - [NC,L,F,R=404]
</IfModule>Nginx Web server
Inside
nginx.conf for server {} block:
NGINX:
# Disable access to sensitive application files
location ~* (app|content|lib)/.*\.(po|php|lock|sql)$ {
return 404;
}
location ~* composer\.json|composer\.lock|.gitignore$ {
return 404;
}
location ~* /\.ht {
return 404;
}
# Image not found replacement
location ~* \.(jpe?g|png|gif|webp)$ {
log_not_found off;
error_page 404 /content/images/system/default/404.gif;
}
# CORS header (avoids font rendering issues)
location ~* \.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js)$ {
add_header Access-Control-Allow-Origin "*";
}
# PHP front controller
location / {
index index.php;
try_files $uri $uri/ /index.php$is_args$query_string;
}
# Single PHP-entrypoint (disables direct access to .php files)
location ~* \.php$ {
internal;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
}Try it out and let us know if you encounter any issues.
Cheers,
Rodolfo.
