Re: httpd error.log

Hi Paul!

> Am 02.09.2022 um 14:52 schrieb Paul Pace <paul@mostlybsd.com>:
>
> On 2022-09-01 13:20, Mike Fischer wrote:
>>> Am 01.09.2022 um 21:49 schrieb latincom@vcn.bc.ca:
>>>>> Am 01.09.2022 um 11:13 schrieb latincom@vcn.bc.ca:
>>>>> historia.agroena.org
>>>> Right, try something like this and watch the error.log:
>>>> curl --url 'https://historia.agroena.org/i-dont-exist.php' >/dev/null
>>>> HTH
>>>> Mike
>>> ok now:
>>> first i stop http rcctl stop httpd, then deleted error.log; and rcctl
>>> restart http! It is working correctly.
>>> thanks Mike
>> Not sure how that (or my advice for a test) would help, but I'm glad it did :-)
>>> PS:
>>> Dokuwiki was working ok, but after the test, the browser says "file not
>>> found" and i am not able to access install.php! i did first # rcctl enable
>>> php74_fpm and rcctl start php74_fpm the httpd.con says root "www/dokuwiki"
>>> directly using consultores.ca/install.php!
>> root "www/dokuwiki" does not sound right. Are you using the standard
>> /var/www/dokuwiki directory for DW? If so it should be:
>> root "/dokuwiki"
>> Here is a similar setup I am using with DW from ports (Hogfather):
>> server "wiki.example.com" {
>> listen on $my_ipv6 tls port 443
>> tls {
>> certificate "/etc/ssl/acme/fullchain.pem"
>> key "/etc/ssl/acme/private/privkey.pem"
>> }
>> log style combined
>> authenticate "Private area" with "/conf/htpasswd-admin"
>> root "/dokuwiki"
>> directory index doku.php
>> connection max request body 2097152 # Default is 2M for
>> upload_max_filesize and 8M for post_max_size.
>> location "*.php" {
>> fastcgi socket "/run/php-fpm.sock"
>> }
>> location "/*.inc" { block }
>> location "/*.ht*" { block }
>> location "/data/*" { block }
>> location "/conf/*" { block }
>> location "/bin/*" { block }
>> location "/inc/*" { block }
>> location "/vendor/*" { block }
>
> The DokuWiki security page[1] states:
>
> The following directories should not be accessible from the web:
>
> data
> conf
> bin
> inc (isn't dangerous when accessible, though)
> vendor (leaks info about your environment)
>
>
> And httpd.conf(5)[2] states:
>
>> In case of multiple location statements in the same context, the first matching location statement will be put into effect, while all later ones will be ignored. Therefore it is advisable to match for more specific paths first and for generic ones later on.
>
> In regards to the current configuration, I believe the matches that pass should be last and matches that block directories should be listed first. Or, alternatively, and better, would be to figure out exactly which .php files are required for the package to run, then make a location rule for each file (unless someone can figure out how to make something the equivalent of a logical or statement (regex: (this|that)) in a single location or location match block to have each of the required .php files pass.
>
> When I read the configuration, it appears in the reverse order of what is recommended by DokuWiki, so in the above configuration a request for:
>
> https://wiki.example.com/data/acl.auth.php
>
> will be passed to php-fpm.sock because that will be matched by the first location. I have no idea the damage to be done with this or other files, but it is against the security guidance of the project.
>
> It seems like the correct order should be to have the following order of locations:
>
> location "/*.inc" { block }
> location "/*.ht*" { block }
> location "/data/*" { block }
> location "/conf/*" { block }
> location "/bin/*" { block }
> location "/inc/*" { block }
> location "/vendor/*" { block }
> location "*.php" {
> fastcgi socket "/run/php-fpm.sock"
> }
>
> However, I have not tested this.

I just did test this and you are absolutely correct! Thanks for pointing that out. I had missed this in httpd.conf(5). I'll change all of my configs accordingly.


Mike