@bx80 opened this Pull Request on November 29th 2021 Contributor

Description:

Fixes #13589
Fixes #18132

Nginx doesn't use .htaccess files by default, therefore will not apply access restriction rules for the /config directory
Apache will ignore .htaccess files for any php files passed to php-fpm via fpm-fcgi, therefore will also not apply access restriction rules.

This PR adds additional checks to the system diagnostics page to detect these scenarios and provide informative warnings.

Accessibility of the /config/global.ini.php files is used a general test of whether the access rules are being applied. If the global config file is not accessible then no warnings will be shown even if running php-fpm or nginx, as we can assume that non-htaccess rules have been added to the server config and we don't want to show a warning once the issue has been corrected.

For the PHP-SAPI check:
If the config is accessible and fpm-fcgi is being used...
...if Apache then show a warning suggesting adding a ProxyPass rule
...if nginx then show a warning and link to the official nginx server configuration
...otherwise show a generic warning that an access rule should be added to prevent access to /config

For the server info check:
If the config is accessible and nginx is being used then show a warning and link to the official nginx server configuration

Review

@github-actions[bot] commented on December 10th 2021 Contributor

This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers

@justinvelluppillai commented on December 10th 2021 Member

@Findus23 do you have time to look at this? If not we can get @bx80 to check it again to confirm in relevant environments and then we can merge if no issues

This Pull Request was closed on December 14th 2021
Powered by GitHub Issue Mirror