New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add system check warnings for php-fpm and nginx if config files are accessible #18398
Conversation
….ini.php access instead of config.ini.php
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The code looks fine so far. But I'm not able to test that fully, as I don't have a nginx setup locally and no time to create one to only test that. I also haven't fully read the both issues this PR should solve, so not sure if that is the case. Maybe @Findus23 can have a quick look if this PR makes sense or not?
This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a quick spell checking
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems to work ok. Pending fixing @Findus23 changes this should be ok to merge, and then would be good to ask the users experiencing the problem originally if this resolves it for them.
Description:
Fixes #13589
Fixes #18132
Nginx doesn't use .htaccess files by default, therefore will not apply access restriction rules for the /config directory
Apache will ignore .htaccess files for any php files passed to php-fpm via fpm-fcgi, therefore will also not apply access restriction rules.
This PR adds additional checks to the system diagnostics page to detect these scenarios and provide informative warnings.
Accessibility of the /config/global.ini.php files is used a general test of whether the access rules are being applied. If the global config file is not accessible then no warnings will be shown even if running php-fpm or nginx, as we can assume that non-htaccess rules have been added to the server config and we don't want to show a warning once the issue has been corrected.
For the PHP-SAPI check:
If the config is accessible and fpm-fcgi is being used...
...if Apache then show a warning suggesting adding a ProxyPass rule
...if nginx then show a warning and link to the official nginx server configuration
...otherwise show a generic warning that an access rule should be added to prevent access to /config
For the server info check:
If the config is accessible and nginx is being used then show a warning and link to the official nginx server configuration
Review