Skip to content

Docs: Added hide for *.php files to file_server directives. #1463

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gnat wants to merge 1 commit into from
Closed

Docs: Added hide for *.php files to file_server directives. #1463

gnat wants to merge 1 commit into from

Conversation

@gnat
Copy link

@gnat gnat commented Mar 27, 2025
edited
Loading

Thought I'd make a quick documentation PR as this has always spooked me with FrankenPHP. Prevents accidental exposure of raw .php files when using file_server. It'd be a security nightmare if we had an issue with unwanted PHP code downloads, particularly with projects that mix assets with code.

Protects us against scenarios where a .php ends up at file_server, ex: Caddyfile misconfiguration (could be as lame as a syntax issue or commenting out php or php_server) or FrankenPHP issue/crash.

AlliBalliBaba
AlliBalliBaba reviewed Mar 27, 2025
View reviewed changes
docs/config.md
php @phpFiles
file_server
file_server {
hide *.php
Copy link
Contributor

@AlliBalliBaba AlliBalliBaba Mar 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure it makes sense to add hide *.php to this specific configuration. It might make people think they need to add it everywhere, even though in this case it's (as you mentioned) redundant.

Maybe it would make more sense to add a separate section with a specific scenario in which this would be necessary for security?

@gnat
Copy link
Author

gnat commented Mar 27, 2025

If there's any issue at the php or php_server directives, it'll fall through and your code is going to be publicly served by file_server. FrankenPHP is lovely but we've had crash fixes already.

Agreed I don't like extra lines either, but if there's any regression/crash in FrankenPHP or someone messes up a Caddyfile edit, you get a very scary failure scenario.

@dunglas
Copy link
Member

dunglas commented Apr 17, 2025

I agree with @AlliBalliBaba, we want to keep the docs as concise and straightforward as possible.

@gnat
Copy link
Author

gnat commented Apr 17, 2025
edited
Loading

No slight to Kevin or the rest of the team, FrankenPHP is brilliant and I love the community work being done!!

Thoughts in case this is closed early:

  • IMHO at least a FAQ entry should be added. It's not at all obvious you can hide *.php to prevent serving raw .php code.
  • If there is a future security incident php_server (not php!) could be fixed as that directive is defined by FrankenPHP (has file_server internally).
  • For people reading in the future: Alternatively (but not for all projects) one could use asset paths using handle_path (ex: /images /css) using file_server in those.
    • ...I realize the intention of the docs is to be roughly equivalent to mod_php etc for classic PHP (php followed by file_server ... understandable! and very awesome!!)
  • This would not be the first time I called out an issue very early on... This CPU cores not being used. Performance issue. #294 which lead to... perf: cgi-mode 1700% improvement #933

@dunglas
Copy link
Member

dunglas commented Apr 18, 2025

I'm ok to add a section about this, just don't make it the default.

@dunglas dunglas closed this Jun 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AlliBalliBaba AlliBalliBaba AlliBalliBaba left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gnat @dunglas @AlliBalliBaba