Jump to content

neildarlow

Members
  • Posts

    4
  • Joined

  • Last visited

Everything posted by neildarlow

  1. Hi, Can I bring up a little issue that might be problematic regarding the fact that ProcessWire is licensed under the GPL Version 2. This has implications for things like extensions in that the GPL may require them also to be distributed under the same license. The GPL affords users rights in how they use the software and permits them to enhance and, more importantly, re-distribute those enhancements. This is fundamentally at odds with making extensions commercially licensed and I would suggest that you clarify the position with the Free Software Foundation (Bradley Kuhn is a good contact for this). I should also mention that introducing commercial extensions to ProcessWire may tempt others to do things like obfuscate code or require the use of module loaders to protect the commercialism of their extensions. If the GPL applies to extensions through ProcessWire then this is totally at odds with that license. The introduction of commercial extensions to ProcessWire has inadvertently changed the nature of the project. Although you describe ProcessWire as Open Source it was actually provided under a Free Software license (there is a distinction) and now that statement only applies to the ProcessWire core and not these commercially licensed extensions. I am in no way against people making money from Free Software/Open Source but it is important to realise that, when commercialism enters into a project, sometimes the initial choice of a Free Software license is not appropriate. Regards, Neil Darlow
  2. @k07n: Yes. If you set your permissions correctly on the webserver, apply the HTTP_MOD_REWRITE parameter and copy htaccess.txt to .htaccess then the only warning you receive from the installer is that it can't determine the server software version but it may be possible to continue (which it is!). I should also add that I didn't include: fastcgi_intercept_errors on; in my server configuration block. I have this in my NGiNX http block as a global switch. @netcarver: Thank you for the kind words. I may not post frequently but I try to make what I write useful to others. Regards, Neil Darlow
  3. Hi, This is a complete server configuration block for NGiNX communicating with php-fpm. There are a few things that will require customisation: server_name root access_log and error_log fastcgi_pass - socket or TCP specification configuration blocks relating to 40x and 50x error handling Note the use of fastcgi_param HTTP_MOD_REWRITE On; which quiets an installer error about requiring mod_rewrite. You might also want to copy htaccess.txt to .htaccess in the ProcessWire top-level directory. server { listen 80 default_server; server_name localhost localhost.localdomain; index index.php index.html; root /var/www/html; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log notice; default_type application/x-php; ### SECURITY - Protect crucial files location ~ /\. { deny all; } location ~ /(COPYRIGHT|LICENSE|README|htaccess)\.txt { deny all; } location ~ ^/site(-[^/]+)?/assets/(.*\.php|backups|cache|config|install|logs|sessions) { deny all; } location ~ ^/site(-[^/]+)?/install { deny all; } location ~ ^/(site(-[^/]+)?|wire)/(config(-dev)?|index\.config)\.php { deny all; } location ~ ^/((site(-[^/]+)?|wire)/modules|wire/core)/.*\.(inc|module|php|tpl) { deny all; } location ~ ^/(site(-[^/]+)?|wire)/templates(-admin)?/.*\.(inc|html?|php|tpl) { deny all; } ### GLOBAL REWRITE location / { try_files $uri $uri/ /index.php?it=$uri&$args; } # pass the PHP scripts to FastCGI server on local socket # location ~ .+\.php((/|\?).*)?$ { fastcgi_pass unix:/run/php-fpm/php-fpm.sock; fastcgi_index index.php; fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param HTTP_MOD_REWRITE On; include fastcgi_params; } # redirect server error pages to the static page /40x.html # error_page 404 /404.html; location = /40x.html { root /usr/share/nginx/html; } # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } In the php-fpm configuration you need to specify unix socket or TCP connection parameters and possibly the chdir setting. These are distribution-dependent values and you will need to determine the correct values for your scenario. My configuration is as follows: ; The address on which to accept FastCGI requests. ; Valid syntaxes are: ; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on ; a specific port; ; 'port' - to listen on a TCP socket to all addresses on a ; specific port; ; '/path/to/unix/socket' - to listen on a unix socket. ; Note: This value is mandatory. ;listen = 127.0.0.1:9000 listen = /run/php-fpm/php-fpm.sock ; Set permissions for unix socket, if one is used. In Linux, read/write ; permissions must be set in order to allow connections from a web server. Many ; BSD-derived systems allow connections regardless of permissions. ; Default Values: user and group are set as the running user ; mode is set to 0666 listen.owner = nginx listen.group = nginx listen.mode = 0660 ; Chdir to this directory at the start. This value must be an absolute path. ; Default Value: current directory or / when chroot chdir = /var/www/html Please note that I researched these configurations and the preceeding security configuration from original documentation. I did not rely on howtos available on the Internet. Each has been carefully implemented and undergone significant testing before going into production. Regards, Neil Darlow
  4. Hi, I use ProcessWire under NGiNX on both FreeBSD for production and Fedora for development. My security configuration is as follows: ### SECURITY - Protect crucial files location ~ /\. { deny all; } location ~ /(COPYRIGHT|LICENSE|README|htaccess)\.txt { deny all; } location ~ ^/site(-[^/]+)?/assets/(.*\.php|backups|cache|config|install|logs|sessions) { deny all; } location ~ ^/site(-[^/]+)?/install { deny all; } location ~ ^/(site(-[^/]+)?|wire)/(config(-dev)?|index\.config)\.php { deny all; } location ~ ^/((site(-[^/]+)?|wire)/modules|wire/core)/.*\.(inc|module|php|tpl) { deny all; } location ~ ^/(site(-[^/]+)?|wire)/templates(-admin)?/.*\.(inc|html?|php|tpl) { deny all; } I can share rewriting and php-fpm configuration also if required. Regards, Neil Darlow
×
×
  • Create New...