Try the new web server settings

Rodolfo

⭐ Chevereto Godlike
Chevereto Staff
Administrator
Dear all,

We are trying some changes regarding the web server configuration for V3.20 as we are pushing towards a stricter (and safer) standard to run the Chevereto application. We are aiming to restrict any orphan direct execution of .php files in the filesystem, which could lead to compromising in your systems.

Your feedback is required as we need to know if the configuration is safe to push to the main release. This update will make your websites safer.

Apache HTTP Web server

.htaccess file:

Apache config:
ServerSignature Off
Options -Indexes
Options -MultiViews
# CORS header (avoids font rendering issues)(replace dev\.local with your domain\.com)
# SetEnvIf Origin ^(https?://.+\.dev\.local(?::\d{1,5})?)$   CORS_ALLOW_ORIGIN=$1
# Header append Access-Control-Allow-Origin  %{CORS_ALLOW_ORIGIN}e   env=CORS_ALLOW_ORIGIN
# Header merge  Vary "Origin"
# Disable access to sensitive application files
<FilesMatch "composer\.(json|lock)|cli\.php|\.htaccess|\.gitignore">
    <IfModule !mod_authz_core.c>
        Order Allow,Deny
        Deny from all
    </IfModule>
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
</FilesMatch>
<IfModule mod_rewrite.c>
    RewriteEngine On
    # RedirectMatch 403 ^.*\.php$
    # If you have problems with the rewrite rules remove the "#" from the following RewriteBase line
    # You will also have to change the path to reflect the path to your Chevereto installation
    # If you are using mod alias is likely that you will need this.
    #RewriteBase /
    # Image not found replacement
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule images/.+\.(gif|jpe?g|a?png|bmp|webp) content/images/system/default/404.gif [NC,L]
    # PHP front controller
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . index.php [L]
    # Single PHP-entrypoint (disables direct access to .php files)
    RewriteCond %{THE_REQUEST} ^.+?\ [^?]+\.php[?\ ] [NC]
    RewriteRule \.php$ - [NC,L,F,R=404]
</IfModule>

Nginx Web server

Inside nginx.conf for server {} block:

NGINX:
    # Disable access to sensitive application files
    location ~* (app|content|lib)/.*\.(po|php|lock|sql)$ {
        return 404;
    }
    location ~* composer\.json|composer\.lock|.gitignore$ {
        return 404;
    }
    location ~* /\.ht {
        return 404;
    }
    # Image not found replacement
    location ~* \.(jpe?g|png|gif|webp)$ {
        log_not_found off;
        error_page 404 /content/images/system/default/404.gif;
    }
    # CORS header (avoids font rendering issues)
    location ~* \.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js)$ {
        add_header Access-Control-Allow-Origin "*";
    }
    # PHP front controller
    location / {
        index index.php;
        try_files $uri $uri/ /index.php$is_args$query_string;
    }
  
    # Single PHP-entrypoint (disables direct access to .php files)
    location ~* \.php$  {
        internal;
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
    }

Try it out and let us know if you encounter any issues.

Cheers,
Rodolfo.
 

liuguang

Chevereto Member
Hi, I am thinking of upgrading V4, does V4 support formats other than managing images? Such as video content.
 

JakeSully

💖 Chevereto Fan
Beta tester
Hi, I am thinking of upgrading V4, does V4 support formats other than managing images? Such as video content.
Video content is not available yet in v 4.0, if I understood it right it will come in 4.1. But now V4 is in beta so you should not use it as live site for now.
 

rdn

Chevereto Member
It should be
Code:
location ~* /(app|content|lib)/.*\.(po|php|lock|sql)$ {
Right?
 
Top