Add .htpasswd to banned locations in nginx config

[marvinhinz]

Description (*)

The nginx config file contains a section that catches and blocks requests that dont match the other blocks. If the .htaccess is blocked, it just seems logical to exclude the .htpasswd too because of sensitive data.

Sometimes nginx is used in front of apache as a reverse proxy, so it is possible for apache config files to exist.

Related Pull Requests

Fixed Issues (if relevant)

1. Fixes magento/magento2#<issue_number>

Manual testing scenarios (*)

1. ...
2. ...

Questions or comments

Contribution checklist (*)

• Pull request has a meaningful description of its purpose
• All commits are accompanied by meaningful commit messages
• All new or changed code is covered with unit/integration tests (if applicable)
• README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
• All automated tests passed successfully (all builds are green)

Resolved issues:

1. resolves [Issue] Add .htpasswd to banned locations in nginx config #35150: Add .htpasswd to banned locations in nginx config

[m2-assistant]

Hi @marvinhinz. Thank you for your contribution
Here are some useful tips how you can test your changes using Magento test environment.
Add the comment under your pull request to deploy test or vanilla Magento instance:

• @magento give me test instance - deploy test instance based on PR changes
• @magento give me 2.4-develop instance - deploy vanilla Magento instance

❗ Automated tests can be triggered manually with an appropriate comment:

• @magento run all tests - run or re-run all required tests against the PR changes
• @magento run <test-build(s)> - run or re-run specific test build(s)
  For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names. Allowed build names are:

1. Database Compare
2. Functional Tests CE
3. Functional Tests EE,
4. Functional Tests B2B
5. Integration Tests
6. Magento Health Index
7. Sample Data Tests CE
8. Sample Data Tests EE
9. Sample Data Tests B2B
10. Static Tests
11. Unit Tests
12. WebAPI Tests
13. Semantic Version Checker

You can find more information about the builds here

ℹ️ Please run only needed test builds instead of all when developing. Please run all test builds before sending your PR for review.

For more details, please, review the Magento Contributor Guide documentation.

⚠️ According to the Magento Contribution requirements, all Pull Requests must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.

🕙 You can find the schedule on the Magento Community Calendar page.

📞 The triage of Pull Requests happens in the queue order. If you want to speed up the delivery of your contribution, please join the Community Contributions Triage session to discuss the appropriate ticket.

🎥 You can find the recording of the previous Community Contributions Triage on the Magento Youtube Channel

✏️ Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel

[magento-engcom-team]

Hi @ihor-sviziev, thank you for the review.
ENGCOM-9272 has been created to process this Pull Request

[engcom-Alfa]

@magento run all tests

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[engcom-Alfa]

Hi @marvinhinz and @ihor-sviziev
Thanks for your contribution and collaboration!
As part of QA validation, could you please help me with steps to reproduce the existing issue where exactly and how that reflects, so that we can validate the changes for further steps.
Thanks in advance!

[engcom-Alfa]

@magento run Functional Tests B2B, Functional Tests CE, Functional Tests EE

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[engcom-Alfa]

@magento run Functional Tests B2B, Functional Tests CE, Functional Tests EE

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[ihor-sviziev]

@magento run Functional Tests CE

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[engcom-Alfa]

@magento run Functional Tests CE

[magento-engcom-team]

Hi @ihor-sviziev, thank you for the review.
ENGCOM-9379 has been created to process this Pull Request

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[ihor-sviziev]

This is expected result

…

On Mon, 17 Jan 2022 at 09:40 Aanchal Pawar ***@***.***> wrote: @ihor-sviziev <https://github.com/ihor-sviziev> I have created a file .htpaswrd / .htaccess in pub folder of magento 2.4-develop and We are not able to access it from web browser [image: Screenshot 2022-01-14 at 2 30 27 PM] <https://user-images.githubusercontent.com/97873570/149726935-ee54ab13-8c71-466b-ade8-d21b47129be5.png> — Reply to this email directly, view it on GitHub <#34388 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAOJOUJSWVQFKEVUBQQBGBTUWPBXRANCNFSM5GJGN54A> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[engcom-Alfa]

Hi @ihor-sviziev , @marvinhinz , @hostep and @andrewbess

We have just followed the below given steps:

1. Utilised my local installed magento instance version 2.4-develop (Not included this PR changes)
2. Created a file .htpaswrd and .htaccess in magento root folder/pub.
3. Instance upgraded and flushed properly
4. Accessed the file from the web browser

As per the above comments and descriptions, I have to expect the issue where we should be able to access the created files. But there is no issue as such prior pulling the PR changes, because the files are not accessible as shown the below screenshot.

Kindly recommend us if we have to change in our execution procedure.

cc: @engcom-Dash

[engcom-Alfa]

✔️ QA Passed

Preconditions:

1. Have Magento installed in the ngnix server
2. make sure Magento is working properly.

Manual testing scenario:

1. Default we will find .htaccess file inside the magento_root/pub folder; Duplicate the file and rename that duplicated new file with .htpasswd file name.

2. Restart the nginx and upgrade the magento once

3. Try to access the file using the link http://application_domain/pub/.htpasswd from browser.

Before: ✖️ .htpasswd file was responding with some data in the browser

After: ✔️ Completely not responding with the data and giving an error now

Since this PR is related to accessing the non-functional file and has no impact on any features, there is no additional testing is required

[engcom-Alfa]

@magento create issue