Skip to content

WebServer Configuration

Munir Njiru edited this page Nov 24, 2015 · 3 revisions

#Web Server Configuration When Implementing any version of OWASP Mth3l3m3nt Framework a little house keeping is required in terms of the server configuration, this can be done via server configurations. Editing the files to show settings as below is recommended for the host or virtual host depending on the implementation . Key aspects include

  • Deny listing of files
  • Allowing htaccess overrides
  • Allowing using of symlinks and includes , this especially affects routing in the application.

Sample Apache 2 Configuration

<Directory /var/www/>
    Options -Indexes +FollowSymLinks +Includes
    AllowOverride All
    Order allow,deny
    Allow from all
    Require all granted # This is required for apache 2.4.3 or higher if lower version remove this line
</Directory>

Sample Nginx Configuration

server {
        listen   80;
     

        root /usr/share/nginx/html;
        index index.php index.html index.htm;

        server_name owasp.mth3l3m3ntframework.com;

        location / {
                try_files $uri /index.php?$query_string;
        }

        error_page 404 /404.html;

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
              root /usr/share/nginx/www;
        }

        # pass the PHP scripts to FastCGI server listening on /var/run/php5-fpm.sock
        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
                
        }

}

Sample IIS Configuration

 <?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="Application" stopProcessing="true">
          <match url=".*" ignoreCase="false" />
          <conditions logicalGrouping="MatchAll">
            <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
            <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
          </conditions>
          <action type="Rewrite" url="index.php" appendQueryString="true" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration> 

Sample Lighttpd Configuration

$HTTP["host"] =~ "localhost$" {
    url.rewrite-once = ( "^/(.*?)(\?.+)?$"=>"/index.php/$1?$2" )
    server.error-handler-404 = "/index.php"
}

}