feature #4295 [Security] Hidden front controller for Nginx (phansys)

weaverryan · weaverryan · commit 51654191bea1 · 2014-11-04T09:54:30.000-05:00
This PR was submitted for the master branch but it was merged into the 2.3 branch instead (closes #4295). Discussion ---------- [Security] Hidden front controller for Nginx For Nginx in PROD env, this makes more difficult to know that app is running Symfony. app.php is widely known as our default front controller. It is a small effort by security through obscurity. For Apache, [this 301 must be replaced by 404](https://github.com/symfony/symfony-standard/blob/77ee2a83c085169e0bd221510b5693dca504f682/web/.htaccess#L37). | Q | A | ------------- | --- | Doc fix? | no | New feature? | no | Applies to | 2.0+ | Tests pass? | yes | Fixed tickets | Commits ------- fed56c2 Updated docblock for config in DEV environment. d1f1b33 * Replaced IF statement by "internal" directive. * Splitted config for PROD and DEV environments. ebf4ea8 For Nginx in PROD env, this makes more difficult to know that app is running Symfony. app.php is widely known as our default front controller. It is a small effort by security through obscurity. For Apache, this 301 must be replaced by 404: https://github.com/symfony/symfony-standard/blob/77ee2a83c085169e0bd221510b5693dca504f682/web/.htaccess#L37
diff --git a/cookbook/configuration/web_server_configuration.rst b/cookbook/configuration/web_server_configuration.rst
@@ -206,13 +206,27 @@ are:
             # try to serve file directly, fallback to app.php
             try_files $uri /app.php$is_args$args;
         }
-
-        location ~ ^/(app|app_dev|config)\.php(/|$) {
+        # DEV
+        # Be sure to remove app_dev.php and config.php scripts when app is
+        # deployed to PROD environment, this rule only must be placed on DEV
+        location ~ ^/(app_dev|config)\.php(/|$) {
+            fastcgi_pass unix:/var/run/php5-fpm.sock;
+            fastcgi_split_path_info ^(.+\.php)(/.*)$;
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param HTTPS off;
+        }
+        # PROD
+        location ~ ^/app\.php(/|$) {
             fastcgi_pass unix:/var/run/php5-fpm.sock;
             fastcgi_split_path_info ^(.+\.php)(/.*)$;
             include fastcgi_params;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
             fastcgi_param HTTPS off;
+            # prevent explicit access and hide front controller
+            # remove "internal" directive if you want to allow uri's like
+            # http://domain.tld/app.php/some-path
+            internal;
         }
 
         error_log /var/log/nginx/project_error.log;
