Security Discussion


#1

I’m just a little surpirsed at how much stuff is in $_SERVER that I would never expect to be exposedin this way. Like the UI password.

Thoughts?

I was looking for a way to pass an environment variable in to phpfpm IF and Only if I am accessing the server from an authorised IP address. I would expect that decision making to be made in the web_server allow/deny stanzas. In apache I used a setenvif, nginx seems more difficult to persuade (doesnt look like my changes to ./cfg/vhost-gen/nginx.yml are being pick up to generate the site.conf). However it looks like a bunch of the stuff in _ENV / _SERVER could also use this kind of restriction.

So it looks like the php container has lots of things passed in to its environment.

One solution (that puts the responsibility of deciding in the wrong place) would be to add the valid IP address to the environment .env and have PHP check that REMOTE_ADDR matches that IP Address/range.
in .env

ALLOW_INTRANET=192.168.1.
ALLOW_KISTING=192.168.1.
ALLOW_INFO=192.168.1.

in code:

# Secure for a specific IP address/range
if (0 != strpos( $_SERVER['REMOTE_ADDR'] , $_SERVER['ALLOW_INFO'])) {
    echo "Info not authorised";
    exit;
}
phpinfo();

#2

It’s tough to find a good way here. When using the intranet (DEVILBOX_UI_ENABLE=1) it does require the information about the password, how else could it validate. I haven’t found a different solution yet, to parse values to PHP-FPM/HTTPD

I guess you figured it out.

Possible solution. Only issue I see with this approach is that there are so many different private IP address ranges: 10.X.X.X, 192.X.X.X, 172.X.X.X, 127.X.X.X, wo knows what the current CI system (for nightly checks) is using and then there’s IPv6 as well. It should work right out of the box without too much configuration. I’ve also seen it hosted on the internet. Currently you can already disable the intranet via .env

As far as I know PHP will be able to read env variables via getenv('var');

Other stuff that pops to my mind is to prefix all .env variables with DVL_ for example and only make them available to the default vhost somehow. Then integrate a methods to allow for custom env vars per vhost.


#3

FYI: This has been fixed now and merged into master.