I'm trying to publish my first Symfony Project in production, but I'm very worried about security, I have taken the following measures:
1) First: Delete on /var these directories: cache, logs and sessions
2) Second: Changed of default name for cookie session (client side: symfony)
3) Trhee: Creating a .htaccess in root directory of application
My problem is about the .htaccess. The goal is dennied access to others directories of application like: /app, /src, /test, /var, /vendor.
I'll write the follow rules in .htaccess and puted it in root directory of my app: myDevelopedApp/.htaccess.
.htaccess
#Checking if module is avalaible
<IfModule mod_rewrite.c>
#Using the rewrite engine
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
#Rewrite rule to redirect the request
RewriteRule ^(.*)$ web/$1 [QSA,L]
<IfModule>
The problem it's not working, I can not access to web folder when I write the rules. Apache hides the application myDevelopedApp when I try to access it by browser
What I'm wrong?
Any other recommendation to improve security in production enviroment is welcome, thanks so much.
If your are really concerned about security you should follow the Symfony best practices. That means that only the /web folder should be accessible in the vhost.
Moreover if you initialized your project with a standard edition you should already have .htaccess files in the app/ src/ folders.
htaccess file code
.htaccess
#Checking if module is avalaible
#Using the rewrite engine
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
#Rewrite rule to redirect the request
RewriteRule ^(.*)$ web/$1 [QSA,L]
and this code too on your .htaccess file
<pre>
.htaccess
#Checking if module is avalaible
<IfModule mod_rewrite.c>
#Using the rewrite engine
RewriteEngine On
RewriteBase /folder/ /*location address if localhost localhost/project */
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
#Rewrite rule to redirect the request
RewriteRule ^(.*)$ web/$1 [QSA,L]
<IfModule>
</pre>
RewriteBase solve this problem
Related
[ Background ]
This is the structure to my application:
app/
controllers/
...
modules/
...
views/
...
public/
css/
main.css
images/
...
js/
...
index.php
.htaccess
For various reasons (security, organization, etc.) the public application (website) is loaded and displayed by public/index.php At the "root" of my server I have the following .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /BU/cs-602/developer-story/
RewriteRule ^(\/||index\.*)$ public/index.php [L,QSA]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-l
RedirectMatch ^(/BU/cs-602/developer-story.)([\w\d\s\/\-\:\_%\ ]*\.css)$ $1public/$2 [L]
RewriteRule ^([\w\d\-\_\/\ ]*)$ public/index.php?p=$1 [L,QSA]
</IfModule>
These rules should rewrite/ redirect all requests from the server "root" to public/index.php Since I am developing locally on my development server this project is not actually at the root of my server but is located at /BU/cs-602/developer-story/ This is why I added the RewriteBase rule.
If I remove the RedirectMatch rule everything from an MVC standpoint works:
URLs like http://localhost/BU/cs-602/developer-story or http://localhost/BU/cs-602/developer-story/ become http://localhost/BU/cs-602/developer-story/public/index.php AND URLs like http://localhost/BU/cs-602/developer-story/user/id become http://localhost/BU/cs-602/developer-story/public/index.php?p=user/id.
Here is a live htaccess test.
[ Question ]
How can I fix the .htaccess file or the RedirectMatch rule to redirect request to resources like CSS or JS files? The current rule works in the tester but not on my server unless I remove the RedirectMatch rule.
I would like a URL like http://localhost/BU/cs-602/developer-story/css/main.css to become http://localhost/BU/cs-602/developer-story/public/css/main.css that way in my HTML I do something like:
<img src="images/logo.png">
The server actually loads:
<img src="public/images/logo.png">
This way I do not have to prefix all my resources with public/.
[ Disclosure ]
This question is for help with a final project at my University, but this type question is allowed and not violating academic policies. Making a project with htaccess and MVC is not a requirement, just something I'm doing to challenge myself.
UPDATE:
Here is my original RedirectMacth rule. Anything that is not a PHP or HTML file is redirected:
RedirectMatch ([\w\d\s\/\-\:\_%\ ]*\.(?!php|htm|html)) $1 [L]
I found the solution after reviewing the error logs on my server. My various attempts were causing redirect loops. Here is my working .htaccess file in case it helps anyone trying to do something similar.
The key is to short circuit the .htaccess file when necessary so it doesn't keep rewriting your URLs infinitely. I added inline comments to explain the process:
# Redirect all requests to the public directory.
<IfModule mod_rewrite.c>
RewriteEngine On
# Only needing for local develoment in my case.
RewriteBase /BU/cs-602/developer-story/
# If nothing or an index page is requested go to `public/index.php` and stop processing.
RewriteRule ^(\/||.*index\..*)$ public/index.php [L,QSA]
# If the URL already contains the `public/` directory go to URL and stop processing.
RewriteRule ^(.*public\/.*)$ $1 [L,QSA]
# If it appears this URL is for a resource (JS, CSS, etc.) prefix with `public/`.
RewriteCond %{REQUEST_URI} ^([\w\d\s\-\_\/\%]*)\.(?!php|htm|html).*$
# Go to the modified URL if the last rule triggered and stop processing.
RewriteRule ^(.*)$ public/$1 [L,QSA]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-l
# Rewrite all remaing URLs to our apps MVC structure.
RewriteRule ^([\w\d\s\-\_\/\%]*)$ public/index.php?p=$1 [L,QSA]
</IfModule>
Currently I have a "public" folder being root directory where all my frontend code goes.
But since my public folder contains both the website content and app content, I would like to split it more up.
So my idea was:
.htaccess (rewriting public url)
src (php backend code)
public/
web/
index.php
app/
account.php
So my problem is, I can easily go to the pages like this:
http://example.com/web/index.php
http://example.com/app/account.php
but I would like to remove "web" and "app" from the URL's...
http://example.com/index.php
http://example.com/account.php
How can I do that using .htaccess? I'm running apache 2.4.
EDIT
An example of what I've tried:
RewriteEngine On
RewriteCond %{REQUEST_URI} !app/
RewriteRule (.*) /app/$1
RewriteCond %{REQUEST_URI} !web/
RewriteRule (.*) /web/$1
Probably you need to tune up your requests. But a first approach is:
First, make sure that you have mod rewrite enabled.
Second, write the following in the .htaccess
RewriteEngine On
RewriteRule ^[/]?index.php$ /web/index.php [NS,NC,L]
RewriteRule ^[/]?account.php$ /app/account.php [NS,NC,L]
You will need to read the documentation to make other rules. You can read it here
https://httpd.apache.org/docs/2.4/mod/mod_rewrite.html
Also pay special attention on the flags. Read the documentation to set the ones that applies to your situation.
I've tried so many different things now, but I finally figured it out.
RewriteEngine on
RewriteBase /
# Rewrite every web request
RewriteCond "%{DOCUMENT_ROOT}/web/%{REQUEST_URI}" -f
RewriteRule "^(.+)" "%{DOCUMENT_ROOT}/web/$1"
# Rewrite every app request
RewriteCond "%{DOCUMENT_ROOT}/app/%{REQUEST_URI}" -f
RewriteRule "^(.+)" "%{DOCUMENT_ROOT}/app/$1"
# Remove .php extension
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.php [NC,L]
This works when having a setup:
public/ (root folder)<br>
web/ (contains website frontend)<br>
app/ (contains app frontend)<br>
.htaccess (contains the code above)
I recently moved my index.php (the file that handles routing) and CSS, JavaScript, and font assets to a public/ folder. I only want items in this public/ folder to be accessible for security purposes. I ran into this problem when I realized I could visit mysite.com/composer.lock and view the composer lock file with my old .htaccess and folder setup.
Here is what I want
If I visit mysite.com/car/create, I want it to actually point to mysite.com/public/index.php?path=car/create
If I link to an asset such as mysite.com/css/style.css, I want it to really point to mysite.com/public/css/style.css
Here is my folder structure
Here is my .htaccess which is not working at all
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ public/index.php?path=$1 [L,QSA]
</IfModule>
How can I fix this? It just generates empty pages and I can still directly visit files in the root directory, etc.
Your existing directives specifically avoid rewriting requests for existing files, so it would still enable you to visit files in the root directory. It will also rewrite static resources to public/index.php?path=, which will presumably fail.
Try the following instead:
RewriteEngine On
# Stop processing if already in the /public directory
RewriteRule ^public/ - [L]
# Static resources if they exist
RewriteCond %{DOCUMENT_ROOT}/public/$1 -f
RewriteRule (.+) public/$1 [L]
# Route all other requests
RewriteRule (.*) public/index.php?path=$1 [L,QSA]
I'm trying to get a Laravel 4 app installed in a subfolder of the web root directory for one of my users. I know there are major security concerns having the entire framework accessible via the web. I plan to address those separately after I understand how to get this working.
I've tried every combination of Apache Aliases, and Rewrite rules I can think of, but nothing seems to work. Here's my directory structure:
/home/username/public_html
.htaccess
my_laravel_app/
app/
bootstrap/
public/
.htaccess
index.php
robots.txt
...etc (standard Laravel 4 public folder contents)
vendor/
...etc (standard Laravel 4 files and folders)
The first .htaccess file, the one listed directly under the users public_html directory, contains the following:
AuthType Basic
AuthName Private
Authuserfile /path/to/.htpasswd
Require valid-user
The second .htaccess is a standard Laravel 4 .htaccess file. It contains the following:
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
RewriteEngine On
# Redirect Trailing Slashes...
RewriteRule ^(.*)/$ /$1 [L,R=301]
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>
I would like to essentially treat this my_laravel_app/public directory as a webroot, so that the Laravel app functions the same way it would if for a normal Laravel installation directly on a domain.
I believe I just need to edit the first .htaccess file to contain rewrite rules that send any request to /my_laravel_app to my_laravel_app/public, but I can't seem to get this working. Can anyone help?
This may be different depending on your setup, but the base config is:
RewriteBase /
RewriteCond %{DOCUMENT_ROOT}/my_laravel_app/public/%{REQUEST_URI} -d [OR]
RewriteCond %{DOCUMENT_ROOT}/my_laravel_app/public/%{REQUEST_URI} -f
RewriteRule . public/%{REQUEST_URI} [L]
RewriteRule . public/index.php [L]
And put inside your my_laravel_app as an .htaccess to limit the complexity of the conditions. You get the idea hopefully.
I have a Silex project. Works on localhost(using php.exe) but I've just transferred it to a subdirectory of an existing website. For example:
www.website.foo/silex/
On the site, because of funky existing routing, the silex app is symbolically linked in the webroot under a /silex/ folder, but is actually elsewhere in the filesystem. The index page works.
I wasn't using an .htaccess file, but I copied the one from the documentation, but it hasn't gotten me anywhere.
<IfModule mod_rewrite.c>
Options -MultiViews
RewriteEngine On
RewriteBase /var/www/webroot/silex/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
I am at a complete loss as to why it doesn't work, let alone what to change to fix it.
Edited .htaccess
<IfModule mod_rewrite.c>
Options -MultiViews
RewriteEngine On
RewriteBase /silex/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
Question
Does the .htaccess file have to be in the root directory? Or is being in the application directory fine?
Your RewriteBase directive is wrong, its related to web root, not your filesystem structure, so just use RewriteBase /silex/