Commit graph

10 commits

Author SHA1 Message Date
ArthurHoaro
8a9796014c Reviewed Apache configuration
(in documentation)

For security purpose, block access to any static file not matching the list of allowed extensions.
It allows us to remove the specific retriction on dotfiles, and fix Apache part of #1608.
2020-11-08 13:13:13 +01:00
Christoph Stoettner
676571dab9 Workaround for hoster (ionos)
The hoster writes the environment variable with bearer token to
REDIRECT_HTTP_AUTHORIZATION and needs to provide RewriteBase / to
.htaccess
2020-09-29 12:15:04 +02:00
ArthurHoaro
6f199ee489
Merge pull request #1556 from kcaran/apache_methods 2020-09-22 11:45:58 +02:00
Keith Carangelo
4488ea4bb9 Added PATCH to the allowed Apache request methods. 2020-09-14 15:32:51 -04:00
nodiscc
91a21c2729 **General rewording, proof-reading, deduplication, shortening, reordering, simplification, cleanup/formatting/standardization**
- standardize page names, rework documentation structure, update TOC
- use same example paths everywhere
- level 1 titles on all pages
- fix broken links
- .md suffix on all page links (works both from readthedocs and github repository views)

**Server:**

A full and concise installation guide with examples is a frequent request. The documentation should provide such a guide for basic installation needs, while explaining alternative/advanced configuration at the end. Links to reference guides and documentation should be used more frequently to avoid recommending an outdated or excessively complex configuration.

- server: move most server-related info to server-configuration.md, cleanup/shorten
- server: update list of php dependencies/libraries, link to composer.json
- server: installation: support 3 install methods (from release zip, from sources, using docker)
- server: installation: use rsync instead of mv as mv results will change depending of taget directory already existing or not
- server: add example/basic usage of certbot
- server, upgrade, installation: update file permissions setup, use sudo for upgrade operations in webserver document root
- server: apache: add comments to configuration, fix and factorize file permissions setup, set cache-control header, deny access to dotfiles, add missing apache config steps, add http->https redirect example
- server: nginx: refactor nginx configuration, add comments, DO log access to denied/protected files
- server: add links to MDN for x-forwarded-* http headers explanation, cleanup/clarify robots.txt and crawlers section
- server: bump file upload size limit to 100MB we have reports of bookmark exports weighing +40MB - i have a 13MB one here
- server: simplify phpinfo documentation
- server: move backup and restore information to dedicated page
- docker: move all docker docs to Docker.md, simplify/ docker setup, add docker-compose.yml example, replace docker-101 with docker cheatsheet
- troubleshooting: move all troubleshooting documentation to troubleshooting.md

**Usage:**

- index: add getting started section on index page
- features/usage: move all usage-related documentation to usage.md, add links from the main feature list to corresponding usage docs, clarify/reword features list
- shaarli configuration: add note about configuring from web interface

**Removed:**

- remove obsolete/orphan images
- remove obsolete shaarchiver example
- remove outdated "decode datastore content" snippet

**Development:**

- development: move development-related docs (static analysis, CI, unit tests, 3rd party libs, link structure/directory, guidelines, security....) to dev/ directory
- development: Merge several pages to development.md
- **Breaking change?:** remove mentions of 'stable' branch, switch to new branch/release model (master=latest commit, release=latest tag)
- **Breaking change?:** refer to base sharing unit as "Shaare" everywhere (TODO: reflect changes in the code?) doc: update featues list/link to usage.md for details
- development: directory structure: add note about required file permissions
- .travis-ci.yml: add comments
- .htaccess: add comment
2020-09-12 14:31:45 +02:00
ArthurHoaro
8aca613b07 Use version condition in the root .htaccess
Related to #1196
2018-08-10 17:45:29 +02:00
ArthurHoaro
6410bf9670 API - Apache - Specify allowed HTTP method in .htaccess 2018-07-05 20:47:26 +02:00
VirtualTam
460cf03d67 httpd: always forward the 'Authorization' header
On some Apache HTTPD setups where the CGI/FastCGI mode is used, the HTTP header
containing the JWT token is not forwarded, which results in the following error
when attempting to use the REST API:

  "401 Not authorized: JWT token not provided"

This patch allows forwarding the 'Authorization' header. An alternative would
be to use the `CGIPassAuth` directive to allow all authorization headers to be
forwarded.

See:
- https://secure.php.net/manual/en/features.http-auth.php#114877
- https://stackoverflow.com/questions/26475885/authorization-header-missing-in-php-post-request
- https://stackoverflow.com/questions/13387516/authorization-header-missing-in-django-rest-framework-is-apache-to-blame
- https://stackoverflow.com/questions/17018586/apache-2-4-php-fpm-and-authorization-headers
- https://httpd.apache.org/docs/2.4/en/mod/core.html#cgipassauth

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-03-22 22:23:41 +01:00
VirtualTam
cabf1b6bec htaccess: prevent accessing resources not managed by SCM
See:
- https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/
- https://stackoverflow.com/questions/2530372/how-do-i-disable-directory-browsing
- https://httpd.apache.org/docs/current/mod/mod_rewrite.html

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-02-05 18:18:52 +01:00
ArthurHoaro
18e6796726 REST API structure using Slim framework
* REST API routes are handle by Slim.
  * Every API controller go through ApiMiddleware which handles security.
  * First service implemented `/info`, for tests purpose.
2016-12-15 10:36:00 +01:00