View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 4982 | Composr | core | public | 2022-10-20 20:28 | 2022-10-20 20:34 |
| Reporter | Chris Graham | Assigned To | Guest | ||
| Priority | normal | Severity | feature | ||
| Status | new | Resolution | open | ||
| Summary | 4982: Maximise parity of web server configuration recommendations | ||||
| Description | For Apache we have recommended.htaccess and .htaccess files strewn around for optimal configuration. Apache is our only fully supported web server software, and this is not set to change. But we can try and be more helpful for users of other web server software. None of the .htaccess file stuff currently done for Apache is actually NEEDED, but it adds another layer of security, better caching, etc. RECOMMENDED.HTACCESS: Go through all our recommended.htaccess and write up good default configurations that mirror as much as possible for: - LiteSpeed (should be compatible already, but check what is supported on https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config and see if we can tweak to be more compatible) - IIS (we already have web.config), enhance it as much as possible) - Nginx (see 4981 for rewrite rules, otherwise we need to provide more details for the example config) Some stuff will be Apache-specific in the sense we would not need to mirror it for another server. Document what we'd like to do but can't for whatever manual configuration would need doing by hand. STREWN FILES: Broadly approach as follows: - LiteSpeed: check compatibility again and tweak if possible - IIS: make a new command-line tool (should not run over web interface), /build_iis_config.php. This should traverse the directory structure, recognising .htaccess files by hash and outputting web.config files to sit alongside them. Document the tool. - Nginx: make a new command-line tool (should not run over web interface), /build_nginx_config.php. This should traverse the directory structure, recognising .htaccess files by hash and outputting config rules for adding to the main nginx config in addition to the rules coming from the documented config. Document the tool. Some stuff will be Apache-specific in the sense we would not need to mirror it for another server. Document what we'd like to do but can't for whatever manual configuration would need doing by hand. | ||||
| Additional Information | These are what the individual .htaccess files do... Many files strewn around: Completely block all HTTP requests uploads/*/.htaccess: Disable any kind of server-side CGI/scripting via blocking handlers Disable JavaScript etc via HTTP headers data*/images/.htaccess, uploads/.htaccess Long-life cache settings for non-changing files (images) themes/*/images*/.htaccess Disable any kind of server-side CGI/scripting via blocking handlers Disable JavaScript etc via HTTP headers Long-life cache settings for non-changing files (images) themes/*/templates_cached/.htaccess Disable any kind of server-side CGI/scripting via blocking handlers Long-life cache settings for non-changing files (CSS/JS) Serve pre-compressed CSS/JS files if they exist and the client accepts Gzip or Brotli data_custom/.htaccess Block specific patterns of log and config files [already mirror for IIS in web.config, but would be better moved to be a dedicated web.config in the data_custom directory] | ||||
| Tags | No tags attached. | ||||
| Attach Tags | |||||
| Time estimation (hours) | 12 | ||||
| Sponsorship open | |||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2022-10-20 20:28 | Chris Graham | New Issue | |
| 2022-10-20 20:29 | Chris Graham | Relationship added | related to 4981 |
| 2022-10-20 20:34 | Chris Graham | Additional Information Updated |
