Permalink
Browse files

feature #4295 [Security] Hidden front controller for Nginx (phansys)

This PR was submitted for the master branch but it was merged into the 2.3 branch instead (closes #4295).

Discussion
----------

[Security] Hidden front controller for Nginx

For Nginx in PROD env, this makes more difficult to know that app is running Symfony.

app.php is widely known as our default front controller.
It is a small effort by security through obscurity.
For Apache, [this 301 must be replaced by 404](https://github.com/symfony/symfony-standard/blob/77ee2a83c085169e0bd221510b5693dca504f682/web/.htaccess#L37).

| Q             | A
| ------------- | ---
| Doc fix?      | no
| New feature?  | no
| Applies to    | 2.0+
| Tests pass?   | yes
| Fixed tickets |

Commits
-------

fed56c2 Updated docblock for config in DEV environment.
d1f1b33 * Replaced IF statement by "internal" directive. * Splitted config for PROD and DEV environments.
ebf4ea8 For Nginx in PROD env, this makes more difficult to know that app is running Symfony. app.php is widely known as our default front controller. It is a small effort by security through obscurity. For Apache, this 301 must be replaced by 404: https://github.com/symfony/symfony-standard/blob/77ee2a83c085169e0bd221510b5693dca504f682/web/.htaccess#L37
  • Loading branch information...
weaverryan committed Nov 4, 2014
2 parents 42abc66 + fed56c2 commit 51654191bea12960f64ead9a00cf0c293532246a
Showing with 16 additions and 2 deletions.
  1. +16 −2 cookbook/configuration/web_server_configuration.rst
@@ -206,13 +206,27 @@ are:
# try to serve file directly, fallback to app.php
try_files $uri /app.php$is_args$args;
}
location ~ ^/(app|app_dev|config)\.php(/|$) {
# DEV
# Be sure to remove app_dev.php and config.php scripts when app is
# deployed to PROD environment, this rule only must be placed on DEV
location ~ ^/(app_dev|config)\.php(/|$) {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
}
# PROD
location ~ ^/app\.php(/|$) {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
# prevent explicit access and hide front controller
# remove "internal" directive if you want to allow uri's like
# http://domain.tld/app.php/some-path
internal;
}
error_log /var/log/nginx/project_error.log;

0 comments on commit 5165419

Please sign in to comment.