Skip to content

[Security] Hidden front controller for Nginx #4295

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

[Security] Hidden front controller for Nginx #4295

wants to merge 3 commits into from

Conversation

phansys
Copy link
Contributor

@phansys phansys commented Oct 4, 2014

For Nginx in PROD env, this makes more difficult to know that app is running Symfony.

app.php is widely known as our default front controller.
It is a small effort by security through obscurity.
For Apache, this 301 must be replaced by 404.

Q A
Doc fix? no
New feature? no
Applies to 2.0+
Tests pass? yes
Fixed tickets

@phansys
For Nginx in PROD env, this makes more difficult to know that app is …
08d3735 
…running Symfony.

app.php is widely known as our default front controller.
It is a small effort by security through obscurity.
For Apache, this 301 must be replaced by 404:
https://github.com/symfony/symfony-standard/blob/77ee2a83c085169e0bd221510b5693dca504f682/web/.htaccess#L37

| Q             | A
| ------------- | ---
| Doc fix?      | no
| New feature?  | no
| Applies to    | 2.0+
| Tests pass?   | yes
| Fixed tickets |
@phansys phansys changed the title For Nginx in PROD env, this makes more difficult to know that app is run... [Security] Hidden front controller for Nginx Oct 4, 2014
@phansys phansys mentioned this pull request Oct 4, 2014
Closed
@phansys
* Replaced IF statement by "internal" directive.
da0c339 
* Splitted config for PROD and DEV environments.
@wouterj
Copy link
Member

wouterj commented Oct 31, 2014

Hmm, to be honest, I don't understand any of these principles. So I can't say anything about this PR or decide if it's wrong or not.

@symfony/team-symfony-docs can you please help? :)

@xabbuh
Copy link
Member

xabbuh commented Oct 31, 2014

I'm no Nginx expert. @phansys can you explain a bit more what this change is supposed to do?

@weaverryan
Copy link
Member

If I understand this correctly, this gives us the exact same behavior as before, except that I can no longer go to example.com/app.php/contact - that will be a 404. The reason for that would be that if this does work, then it kind of exposes the fact that this is a Symfony2 site a little bit. That's the security through obscurity part.

I haven't used this internal option before, so I'm trusting it works like this :). I would add a little comment about it that explains what it does. Something like this:

# Causes a 404 page if someone goes to example.com/app.php/some-page
# This can obscure, slightly, the fact that this is a Symfony2 app

@phansys
Copy link
Contributor Author

phansys commented Oct 31, 2014

Hi @xabbuh.
With this change, requests in PROD env to /app.php/ will return 404 instead of redirect to domain root or serve the same content as /. It prevents a possible attacker guessing that app is running Symfony.

Before:
GET /app/ -> 301 redirection to /

After:
GET /app/ -> 404 not found

@weaverryan
Copy link
Member

@phansys well-said. If you can summarize that into a short comment to put in the code block, I am a 👍 on this.

@xabbuh
Copy link
Member

xabbuh commented Oct 31, 2014

I see and I agree that this makes sense in the prod environment. However, I wouldn't add these rules to the dev environment. It makes things more complex and these files shouldn't be available in public at all.

@phansys
Copy link
Contributor Author

phansys commented Oct 31, 2014

Thank you @weaverryan.
The code now has a block with this comment:

# prevent explicit access and hide front controller
# remove "internal" directive if you want to allow uri's like
# http://domain.tld/app.php/some-path

If you want, I can add more verbosity in it.
@xabbuh, I also agree with you; that's the reason why I split off app.php rule from app_dev.php and config.php.

@xabbuh
Copy link
Member

xabbuh commented Nov 1, 2014

@phansys But is the part for the dev environment really needed? What happens when we omit it?

Edit: Never mind, it was there before. So it's probably needed.

@phansys
Copy link
Contributor Author

phansys commented Nov 1, 2014

@xabbuh, the part for DEV is needed in order to serve the app when you are in development phase (with debug toolbar enabled, etc). IE, for using app_dev.php as front controller or accessing /config.php after install.

@weaverryan
Copy link
Member

@phansys @xabbuh we should maybe add a note in the # DEV comment line that says (don't add this to your production web server configuration). What do you think?

@xabbuh
Copy link
Member

xabbuh commented Nov 3, 2014

Both files shouldn't be present at all in that case. But yes, adding an additional comment might be useful too.

@phansys
Copy link
Contributor Author

phansys commented Nov 3, 2014

Docblock for DEV rule updated.

@weaverryan
Copy link
Member

Thanks for the really nice addition and edits Javier! This is better than before and helps show people options they have and why. Great work!

weaverryan added a commit that referenced this pull request Nov 4, 2014
@weaverryan
feature #4295 [Security] Hidden front controller for Nginx (phansys)
5165419 
This PR was submitted for the master branch but it was merged into the 2.3 branch instead (closes #4295).

Discussion
----------

[Security] Hidden front controller for Nginx

For Nginx in PROD env, this makes more difficult to know that app is running Symfony.

app.php is widely known as our default front controller.
It is a small effort by security through obscurity.
For Apache, [this 301 must be replaced by 404](https://github.com/symfony/symfony-standard/blob/77ee2a83c085169e0bd221510b5693dca504f682/web/.htaccess#L37).

| Q             | A
| ------------- | ---
| Doc fix?      | no
| New feature?  | no
| Applies to    | 2.0+
| Tests pass?   | yes
| Fixed tickets |

Commits
-------

fed56c2 Updated docblock for config in DEV environment.
d1f1b33 * Replaced IF statement by "internal" directive. * Splitted config for PROD and DEV environments.
ebf4ea8 For Nginx in PROD env, this makes more difficult to know that app is running Symfony. app.php is widely known as our default front controller. It is a small effort by security through obscurity. For Apache, this 301 must be replaced by 404: https://github.com/symfony/symfony-standard/blob/77ee2a83c085169e0bd221510b5693dca504f682/web/.htaccess#L37
weaverryan added a commit that referenced this pull request Nov 4, 2014
@weaverryan
[#4295] Tweaking notes language
9f6f05c
@weaverryan weaverryan closed this Nov 4, 2014
@phansys
Copy link
Contributor Author

phansys commented Nov 4, 2014

Thank you @weaverryan, @xabbuh.

weaverryan added a commit that referenced this pull request Nov 5, 2014
@weaverryan
Merge branch '2.3' into 2.5
1ae4e80 
* 2.3:
  A few small improvements to the EventDispatcher Component docs
  Fixes thanks to @xabbuh
  [#4295] Tweaking notes language
  Updated docblock for config in DEV environment.
  * Replaced IF statement by "internal" directive. * Splitted config for PROD and DEV environments.
  For Nginx in PROD env, this makes more difficult to know that app is running Symfony. app.php is widely known as our default front controller. It is a small effort by security through obscurity. For Apache, this 301 must be replaced by 404: https://github.com/symfony/symfony-standard/blob/77ee2a83c085169e0bd221510b5693dca504f682/web/.htaccess#L37
  [Best Practices] removed unused link in business-logic
  Add missing space in code
  [Config] Complete security encoder in full default configuration
  [reference][configuration][security]Added key_length for pbkdf2 encoder
  Fixed typo
  Reworded a misleading Doctrine explanation
weaverryan added a commit that referenced this pull request Nov 5, 2014
@weaverryan
Merge branch '2.5'
30c036b 
* 2.5:
  A few small improvements to the EventDispatcher Component docs
  Fixes thanks to @xabbuh
  [#4295] Tweaking notes language
  Updated docblock for config in DEV environment.
  * Replaced IF statement by "internal" directive. * Splitted config for PROD and DEV environments.
  For Nginx in PROD env, this makes more difficult to know that app is running Symfony. app.php is widely known as our default front controller. It is a small effort by security through obscurity. For Apache, this 301 must be replaced by 404: https://github.com/symfony/symfony-standard/blob/77ee2a83c085169e0bd221510b5693dca504f682/web/.htaccess#L37
  [Best Practices] removed unused link in business-logic
  Add missing space in code
  [Config] Complete security encoder in full default configuration
  [reference][configuration][security]Added key_length for pbkdf2 encoder
  Fixed typo
  Reworded a misleading Doctrine explanation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Status: Reviewed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@phansys @wouterj @xabbuh @weaverryan