-
Notifications
You must be signed in to change notification settings - Fork 66
WebServer Configuration
Munir Njiru edited this page Nov 24, 2015
·
3 revisions
#Web Server Configuration When Implementing any version of OWASP Mth3l3m3nt Framework a little house keeping is required in terms of the server configuration, this can be done via server configurations. Editing the files to show settings as below is recommended for the host or virtual host depending on the implementation . Key aspects include
- Deny listing of files
- Allowing htaccess overrides
- Allowing using of symlinks and includes , this especially affects routing in the application.
<Directory /var/www/>
Options -Indexes +FollowSymLinks +Includes
AllowOverride All
Order allow,deny
Allow from all
Require all granted # This is required for apache 2.4.3 or higher if lower version remove this line
</Directory>
server {
listen 80;
root /usr/share/nginx/html;
index index.php index.html index.htm;
server_name owasp.mth3l3m3ntframework.com;
location / {
try_files $uri /index.php?$query_string;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/www;
}
# pass the PHP scripts to FastCGI server listening on /var/run/php5-fpm.sock
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Application" stopProcessing="true">
<match url=".*" ignoreCase="false" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
</conditions>
<action type="Rewrite" url="index.php" appendQueryString="true" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
$HTTP["host"] =~ "localhost$" {
url.rewrite-once = ( "^/(.*?)(\?.+)?$"=>"/index.php/$1?$2" )
server.error-handler-404 = "/index.php"
}
}
Developed by Munir Njiru