secure Xataface on Nginx without .htaccess ?
62 views
Skip to first unread message
Ti Tou
Mar 11, 2017, 12:25:27 PM3/11/17
to Xataface
Hello,
I want to use Xataface in production but the admin system prefer to use Nginx (vs. apache) and I think the .htaccess files don't work on Nginx.
I have no idea to secure the app on nginx server without htaccess safety mecanism.
Today, I use this configuration "to try to improve security" on Xataface app : i.e. to store the maximum of the files out of the htdocs to prevent direct access by URL.
I want to use Xataface in production but the admin system prefer to use Nginx (vs. apache) and I think the .htaccess files don't work on Nginx.
I have no idea to secure the app on nginx server without htaccess safety mecanism.
Today, I use this configuration "to try to improve security" on Xataface app : i.e. to store the maximum of the files out of the htdocs to prevent direct access by URL.
- the Xataface core directory and the conf.db.in (called by conf.ini) are on top of htdocs
- the resources (images and css) are stored in the Xataface app directory
- I added a symbolic link to Xatajax
For example, behind this URL http://xata_appABC.mydomain.com, there is :
/var/www (several web sites) | + xataface/ = __DATAFACE_PATH__ (xataface core, upgraded with "git pull")
+ xata_appABC/
+ conf.db.ini (with database login/pwd)
+ htdocs = __DATAFACE_SITE_PATH__ (app)
|
/ -----------------------------------------------
/* it is a copy to correct an access error on resource files because the Xataface core is on top of htdocs */
+ res/
|
+ css
+ images
+ jss
+ lang
+ modules
|
+ Datagrid
+ g2
+ Xatajax
+ iframecss
/ -----------------------------------------------
/* the Xataface appABC config files */
| + conf.ini (except database login/pwd) + .htaccess (the first) + index.php
+ modules/ (app modules)
|
+ ckeditor
+ datepicker
+ depselect
+ g2
+ htmlreports
+ switch_user
+ tables/...
+ template_c/
/ -----------------------------------------------
/* it is copy to correct an access error */
+ xataface
|
+ modules
|
+ Xatajax (symlink to __DATAFACE_PATH__/Xatajax)
1. Is there a better way to prevent direct web access on source?
What are best practices to be set up?
2. And what if the Xataface app is installed on a Nginx server?
3. Had you returns on similar configurations?
--
A.
Steve Hannah
Mar 13, 2017, 12:42:51 PM3/13/17
to xata...@googlegroups.com
This is a good question as nginx is picking up a lot of steam. I found this tool that would be useful for a conversion.
Ideally Xataface should have nginx support built in. The main thing you'll want is to block direct access to all .ini files, and also to upload directories, and templates_c. E..g Using the tool above, the nginx config for blocking .ini files is
# nginx configuration
location ~ \.ini$ {
deny all;
}
Steve
--
You received this message because you are subscribed to the Google Groups "Xataface" group.
Visit this group at https://groups.google.com/group/xataface.
To view this discussion on the web visit https://groups.google.com/d/msgid/xataface/a1a5c737-3a67-49ff-a503-0a9ded4bccb1%40googlegroups.com.
Steve Hannah
Web Lite Solutions Corp.
Ti Tou
Mar 22, 2017, 10:43:30 AM3/22/17
to Xataface
Thanks for your help.
I had noticed with the upload directories, that the history of files uploaded is stored in an hidden directory named .history.
This directory is also blocked with an .htaccess file.
I will try winginx.
I had noticed with the upload directories, that the history of files uploaded is stored in an hidden directory named .history.
This directory is also blocked with an .htaccess file.
I will try winginx.
Reply all
Reply to author
Forward
0 new messages