Hi Paul! > Am 02.09.2022 um 14:52 schrieb Paul Pace <[email protected]>: > > On 2022-09-01 13:20, Mike Fischer wrote: >>> Am 01.09.2022 um 21:49 schrieb [email protected]: >>>>> Am 01.09.2022 um 11:13 schrieb [email protected]: >>>>> historia.agroena.org >>>> Right, try something like this and watch the error.log: >>>> curl --url 'https://historia.agroena.org/i-dont-exist.php' >/dev/null >>>> HTH >>>> Mike >>> ok now: >>> first i stop http rcctl stop httpd, then deleted error.log; and rcctl >>> restart http! It is working correctly. >>> thanks Mike >> Not sure how that (or my advice for a test) would help, but I’m glad it did >> :-) >>> PS: >>> Dokuwiki was working ok, but after the test, the browser says "file not >>> found" and i am not able to access install.php! i did first # rcctl enable >>> php74_fpm and rcctl start php74_fpm the httpd.con says root "www/dokuwiki" >>> directly using consultores.ca/install.php! >> root "www/dokuwiki" does not sound right. Are you using the standard >> /var/www/dokuwiki directory for DW? If so it should be: >> root "/dokuwiki" >> Here is a similar setup I am using with DW from ports (Hogfather): >> server "wiki.example.com" { >> listen on $my_ipv6 tls port 443 >> tls { >> certificate "/etc/ssl/acme/fullchain.pem" >> key "/etc/ssl/acme/private/privkey.pem" >> } >> log style combined >> authenticate "Private area" with "/conf/htpasswd-admin" >> root "/dokuwiki" >> directory index doku.php >> connection max request body 2097152 # Default is 2M for >> upload_max_filesize and 8M for post_max_size. >> location "*.php" { >> fastcgi socket "/run/php-fpm.sock" >> } >> location "/*.inc" { block } >> location "/*.ht*" { block } >> location "/data/*" { block } >> location "/conf/*" { block } >> location "/bin/*" { block } >> location "/inc/*" { block } >> location "/vendor/*" { block } > > The DokuWiki security page[1] states: > > The following directories should not be accessible from the web: > > data > conf > bin > inc (isn't dangerous when accessible, though) > vendor (leaks info about your environment) > > > And httpd.conf(5)[2] states: > >> In case of multiple location statements in the same context, the first >> matching location statement will be put into effect, while all later ones >> will be ignored. Therefore it is advisable to match for more specific paths >> first and for generic ones later on. > > In regards to the current configuration, I believe the matches that pass > should be last and matches that block directories should be listed first. Or, > alternatively, and better, would be to figure out exactly which .php files > are required for the package to run, then make a location rule for each file > (unless someone can figure out how to make something the equivalent of a > logical or statement (regex: (this|that)) in a single location or location > match block to have each of the required .php files pass. > > When I read the configuration, it appears in the reverse order of what is > recommended by DokuWiki, so in the above configuration a request for: > > https://wiki.example.com/data/acl.auth.php > > will be passed to php-fpm.sock because that will be matched by the first > location. I have no idea the damage to be done with this or other files, but > it is against the security guidance of the project. > > It seems like the correct order should be to have the following order of > locations: > > location "/*.inc" { block } > location "/*.ht*" { block } > location "/data/*" { block } > location "/conf/*" { block } > location "/bin/*" { block } > location "/inc/*" { block } > location "/vendor/*" { block } > location "*.php" { > fastcgi socket "/run/php-fpm.sock" > } > > However, I have not tested this.
I just did test this and you are absolutely correct! Thanks for pointing that out. I had missed this in httpd.conf(5). I’ll change all of my configs accordingly. Mike
