Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add configuration to deny access to composer files, .git etc. #99

Open
lavita-it opened this issue Apr 17, 2019 · 2 comments
Open

Add configuration to deny access to composer files, .git etc. #99

lavita-it opened this issue Apr 17, 2019 · 2 comments

Comments

@lavita-it
Copy link

What type of report is this:

Q A
Bug report?
Feature request?
Enhancement? Y

Description:

When deploying as described a lot of config files would be public (composer.lock, composer.custom, composer.json, .git etc.). I think we would need an additional apache configuration file to deny access to those files.

If a bug:

Q A
Mautic version 2.15.0
PHP version 7.2

Steps to reproduce:

  1. Deploy to Elastic Beanstalk
  2. Access http://your-domain.com/.git/config or /composer.json etc.

Log errors:

No errors
@virgilwashere
Copy link

This should achieve that for nginx

nginx deny location blocks

    # Deny all attempts to access hidden files/folders such as .git, .htaccess, .htpasswd, .DS_Store (Mac), etc...
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny yaml, twig, markdown, ini file access
    location ~* /.+\.(markdown|md|twig|yaml|yml|ini)$ {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny all grunt, package files
    location ~* (Gruntfile|package)\.(js|json|jsonc)$ {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny all composer files
    location ~* composer\. {
        deny all;
        access_log off;
        log_not_found off;
    }

@rinaldipratama
Copy link

This should achieve that for nginx

nginx deny location blocks

    # Deny all attempts to access hidden files/folders such as .git, .htaccess, .htpasswd, .DS_Store (Mac), etc...
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny yaml, twig, markdown, ini file access
    location ~* /.+\.(markdown|md|twig|yaml|yml|ini)$ {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny all grunt, package files
    location ~* (Gruntfile|package)\.(js|json|jsonc)$ {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny all composer files
    location ~* composer\. {
        deny all;
        access_log off;
        log_not_found off;
    }

Thank you so much! It worked 😀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@virgilwashere @lavita-it @rinaldipratama