Security Discussion

keithy · January 7, 2019, 12:16am

I’m just a little surpirsed at how much stuff is in $_SERVER that I would never expect to be exposedin this way. Like the UI password.

Thoughts?

I was looking for a way to pass an environment variable in to phpfpm IF and Only if I am accessing the server from an authorised IP address. I would expect that decision making to be made in the web_server allow/deny stanzas. In apache I used a setenvif, nginx seems more difficult to persuade (doesnt look like my changes to ./cfg/vhost-gen/nginx.yml are being pick up to generate the site.conf). However it looks like a bunch of the stuff in _ENV / _SERVER could also use this kind of restriction.

So it looks like the php container has lots of things passed in to its environment.

One solution (that puts the responsibility of deciding in the wrong place) would be to add the valid IP address to the environment .env and have PHP check that REMOTE_ADDR matches that IP Address/range.
in .env

ALLOW_INTRANET=192.168.1.
ALLOW_KISTING=192.168.1.
ALLOW_INFO=192.168.1.

in code:

# Secure for a specific IP address/range
if (0 != strpos( $_SERVER['REMOTE_ADDR'] , $_SERVER['ALLOW_INFO'])) {
    echo "Info not authorised";
    exit;
}
phpinfo();

cytopia · January 7, 2019, 5:28pm

It’s tough to find a good way here. When using the intranet (DEVILBOX_UI_ENABLE=1) it does require the information about the password, how else could it validate. I haven’t found a different solution yet, to parse values to PHP-FPM/HTTPD

I guess you figured it out.

keithy:

One solution (that puts the responsibility of deciding in the wrong place) would be to add the valid IP address to the environment .env and have PHP check that REMOTE_ADDR matches that IP Address/range.
in .env
ALLOW_INTRANET=192.168.1.
ALLOW_KISTING=192.168.1.
ALLOW_INFO=192.168.1.

Possible solution. Only issue I see with this approach is that there are so many different private IP address ranges: 10.X.X.X, 192.X.X.X, 172.X.X.X, 127.X.X.X, wo knows what the current CI system (for nightly checks) is using and then there’s IPv6 as well. It should work right out of the box without too much configuration. I’ve also seen it hosted on the internet. Currently you can already disable the intranet via .env

As far as I know PHP will be able to read env variables via getenv('var');

Other stuff that pops to my mind is to prefix all .env variables with DVL_ for example and only make them available to the default vhost somehow. Then integrate a methods to allow for custom env vars per vhost.

cytopia · January 10, 2019, 8:38am

FYI: This has been fixed now and merged into master.

Topic		Replies	Views
Enabling/Disabling Community Discussions	10	1197	August 19, 2019
Hide folder on vhost.php and proxy	0	138	June 7, 2023
Intranet: showing vhost-gen and vhost.conf configs Announcements	2	682	December 27, 2019
How to add environment variables per site?	0	321	August 29, 2020
Nginx won't produce any access or error logs	2	839	December 12, 2019

Security Discussion

Related Topics