Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Moving public scripts to public directory #2033

Closed
yurikuzn opened this issue Jul 6, 2021 · 0 comments
Closed

Moving public scripts to public directory #2033

yurikuzn opened this issue Jul 6, 2021 · 0 comments
Assignees
@yurikuzn
Labels
improvement security
Milestone
Version 7.0.0

Comments

@yurikuzn
Copy link
Contributor

yurikuzn commented Jul 6, 2021
edited

All CLI-only scripts and application files will be outside the public directory making the system more secure. Scripts, node modules, logs, backups, etc. that are created in the root directory won't be available by default.

On the production:

  • the document root should be set to /path/to/espo/public/;
  • an alias /client/ => /path/to/espo/client/ should be added.

Instances working on the Apache webserver with .htaccess enabled (AllowOverride) should work after upgrade w/o any actions required. Although it's recommended to set the document root to look at the public dir for security reasons.

For other webservers (Nginx and others) making small changes in the configuration will be required.

Apache

Config example:

DocumentRoot /var/www/html/public/
Alias /client/ /var/www/html/client/

<Directory /var/www/html/>
    AllowOverride None
</Directory>

<Directory /var/www/html/public/>
    AllowOverride All
</Directory>

A config example for a portal with a custom URL (replace {PORTAL_ID} with a portal ID):

DocumentRoot /var/www/html/public/portal/
Alias /client/ /var/www/html/client/
Alias /api/v1/ /var/www/html/public/api/v1/

<Directory /var/www/html/>
    AllowOverride None
</Directory>

<Directory /var/www/html/public/>
    AllowOverride All
</Directory>

<IfModule mod_rewrite.c>
    RewriteEngine On

    RewriteRule .* - [E=ESPO_PORTAL_ID:{PORTAL_ID}]
</IfModule>

Nginx

Config example:

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    server_name localhost; # domain name

    charset utf-8;
    index index.html index.php;

    client_max_body_size 50M;

    keepalive_timeout 300;
    types_hash_max_size 2048;

    server_tokens off;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;

    gzip on;
    gzip_types text/plain text/css text/javascript application/javascript application/json;
    gzip_min_length 1000;
    gzip_comp_level 9;
    
    root /var/www/html/public; # path to public dir

    location /client {
        root /var/www/html; # path to espocrm root dir
        autoindex off;

        location ~* ^.+.(js|css|png|jpg|jpeg|gif|ico|tpl)$ {
            access_log off;
            expires max;
        }
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    location ~ \.php$ {
        fastcgi_pass espocrm-php:9000;
        include fastcgi_params;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param QUERY_STRING $query_string;
    }

    location /api/v1/ {
        if (!-e $request_filename){
            rewrite ^/api/v1/(.*)$ /api/v1/index.php last; break;
        }
    }

    location /portal/ {
        try_files $uri $uri/ /portal/index.php?$query_string;
    }

    location /api/v1/portal-access {
        if (!-e $request_filename){
            rewrite ^/api/v1/(.*)$ /api/v1/portal-access/index.php last; break;
        }
    }

    location ~ /(\.htaccess|\web.config|\.git) {
        deny all;
    }
}

Config example for portal (replace {PORTAL_ID} with a portal ID):

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    server_name localhost; # domain name

    charset utf-8;
    index index.html index.php;

    client_max_body_size 50M;

    keepalive_timeout 300;
    types_hash_max_size 2048;

    server_tokens off;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;

    gzip on;
    gzip_types text/plain text/css text/javascript application/javascript application/json;
    gzip_min_length 1000;
    gzip_comp_level 9;
    
    root /var/www/html/public/portal; # path to `public/portal` dir

    location /client {
        root /var/www/html;
        autoindex off;

        location ~* ^.+.(js|css|png|jpg|jpeg|gif|ico|tpl)$ {
            access_log off;
            expires max;
        }
    }

    location /api {
        root /var/www/html/public; # path to `public` dir
        autoindex off;

        location ~ \.php$ {
            fastcgi_pass espocrm-php:9000;
            include fastcgi_params;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param QUERY_STRING $query_string;
        }

        location /api/v1/portal-access {
            if (!-e $request_filename){
                rewrite ^/api/v1/portal-access/(.*)$ /api/v1/portal-access/index.php last; break;
            }
        }
    }

    location ~ \.php$ {
        fastcgi_pass espocrm-php:9000;
        include fastcgi_params;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param QUERY_STRING $query_string;

        fastcgi_param ESPO_PORTAL_ID {PORTAL_ID}; # portal ID
        fastcgi_param ESPO_PORTAL_IS_CUSTOM_URL "true";
    }

    location ~ /(\.htaccess|\web.config|\.git) {
        deny all;
    }
}
@yurikuzn yurikuzn added this to the Version 6.2.0 milestone Jul 6, 2021
@yurikuzn yurikuzn self-assigned this Jul 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yurikuzn yurikuzn

Labels
improvement security
Projects
None yet
Milestone
Version 7.0.0
Development

No branches or pull requests
1 participant
@yurikuzn