Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cached files readable under Nginx #435

Open
raamdev opened this issue Mar 7, 2015 · 5 comments
Open

Cached files readable under Nginx #435

raamdev opened this issue Mar 7, 2015 · 5 comments
Labels
bug compatibility needs research

Comments

@raamdev
Copy link
Contributor

raamdev commented Mar 7, 2015

@philbraun writes...

Looking at the content of /wp-content/cache/zencache/cache/ I noticed a .htaccess file, which to me looks like it should disable access to the cached .html files from the outside (i.e. anything but WordPress).

However, my test server is NGiNX-only, and does not speak .htaccess, as far as I know. I can easily open and read any and all cached html files directly, using any non logged-in browser. Is that the way it's supposed to be?

@jaswsinc writes...

Is that the way it's supposed to be?

@philbraun No. These files should not be public. If you have user-specific caching disabled (default behavior), then there's nothing in these files that is super sensitive. However, I would agree that we should look at adding compatibility for Nginx also. I'm not sure if this is possible for ZenCache to do though.

@raamdev I'm guessing that we will need to display a notice if Nginx is detected. I think this is something that must be done inside a server configuration file, since Nginx does not support .htaccess.

Referencing: http://kbeezie.com/protecting-folders-with-nginx/

Thought: It might be worth it for us to name the cache directory .cache. I'm not sure if Nginx protects dot files automatically or not, but many hosting platforms will do this.
@raamdev raamdev mentioned this issue Mar 7, 2015
Closed
@HandyGadget
Copy link

@raamdev You might want to take a look at ServerPilot https://serverpilot.io/features-overview.html#performance ~ who have been very succesful in the DigitalOcean space ~ and who's standard install is OpCode in front of NginX in front of Apache2. In this case both the NginX AND the Apache2 .htaccess configurations come into play.

I might add I run 59 VPS web-servers using ServerPilot on DigitaOcean and I am having a real problem trying to get HTML compression to work, whereas the Autoptimize together with the Autoptimize Helper works every time.

@jaswrks
Copy link

jaswrks commented Apr 19, 2015

@QloudPress writes...

OpCode in front of NginX in front of Apache2. In this case both the NginX AND the Apache2 .htaccess configurations come into play.

Thanks for that tip. I have seen a lot of articles about this lately. Companies like Server Pilot are thinking outside the box. Love it! It's taking full advantage of the strengths of each web server.

In terms of how we approach Nginx compatibility in ZenCache though, we need find ways of securing directories in "the Nginx way" and also in "the Apache way". We've got Apache covered. Now we need to find a way to secure a directory in Nginx—though it seems impossible since Nginx does not support .htaccess.

@HandyGadget
Copy link

Hmm. Security you say.

That's above my pay grade Jason.

I just do using, breaking, fixing and stuff like that.

@jaswrks
Copy link

jaswrks commented Nov 12, 2015

Referencing:

@jaswrks jaswrks mentioned this issue Nov 12, 2015
Closed
4 tasks
@raamdev
Copy link
Contributor Author

raamdev commented Nov 12, 2015

This seems related to #322.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug compatibility needs research
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@raamdev @jaswrks @HandyGadget