Add Apache 2.4 access control Require directives

Development-related discussion, including bundled plugins
peternowee
Bear Rating Trainee
Bear Rating Trainee
Posts: 6
Joined: 12 May 2016, 16:45

Add Apache 2.4 access control Require directives

Postby peternowee » 12 May 2016, 17:03

Attachments
0001-Add-Apache-2.4-access-control-Require-directives.patch
(3.96 KiB) Downloaded 117 times

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Add Apache 2.4 access control Require directives

Postby fox » 12 May 2016, 17:48

tbh i'm not sure if those files should be there in the first place

for example i've ditched apache years ago and they do nothing for me

the fact that they decided to ditch backwards compatibility in their overbloated slow-ass http daemon is kind of a last straw in a way

e: to elaborate, .htaccess is shit way to ensure any kind of security because its specific to one server, may fail silently even on apache, and is a no-op on any other httpd i'm aware of. luckily, the way tt-rss generates temporary and cache files, makes it somewhat hard to download anything meaningful anyway, so its mostly a moot point.

so the two ways of fixing this properly would be either checking accessibility of some files in cache directories over httpd in preferences and nagging people to fix their shit (i.e. how owncloud does it) or just canning the .htaccess anyway because in the end it's a crutch which only provides false sense of security for people who don't know any better.

peternowee
Bear Rating Trainee
Bear Rating Trainee
Posts: 6
Joined: 12 May 2016, 16:45

Re: Add Apache 2.4 access control Require directives

Postby peternowee » 12 May 2016, 18:37

Those are more general decisions that could have been made earlier, but were not. As long as the .htaccess are there, would my patch not be an improvement?

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Add Apache 2.4 access control Require directives

Postby fox » 12 May 2016, 19:26

this is software development, not religious dogma

if something was added doesn't mean its going to be here forever just because of it

since you brought this up, now might be the time to rethink those files presence in trunk instead of mindlessly updating them to w/e syntax apache decides on every time

peternowee
Bear Rating Trainee
Bear Rating Trainee
Posts: 6
Joined: 12 May 2016, 16:45

Re: Add Apache 2.4 access control Require directives

Postby peternowee » 13 May 2016, 00:11


JustAMacUser
Bear Rating Overlord
Bear Rating Overlord
Posts: 373
Joined: 20 Aug 2013, 23:13

Re: Add Apache 2.4 access control Require directives

Postby JustAMacUser » 13 May 2016, 00:19

I think Apache's best days are behind it; Nginx is a solid, out-of-the-box fast solution. It's also much easier to configure.

That being said, .htaccess files don't take up a lot of space and they do tell everyone what parts of the install should be blocked (even if TT-RSS doesn't have any huge concerns in that area).

If you're going to remove them, I'd recommend updating the readme file to include recommendations for which directories to restrict access. (After all, it never hurts to limit access if it's not publicly needed, and it follows the least privileges philosophy.)

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Add Apache 2.4 access control Require directives

Postby fox » 13 May 2016, 07:51

adding to README (and wiki installation guide) sounds like a good idea, also i'm not sure why are you taking stuff personally, op. chill.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Add Apache 2.4 access control Require directives

Postby fox » 13 May 2016, 09:09

https://tt-rss.org/gitlab/fox/tt-rss/wi ... irectories

as of aa4ab8e .htaccess files are no longer in trunk.

peternowee
Bear Rating Trainee
Bear Rating Trainee
Posts: 6
Joined: 12 May 2016, 16:45

Re: Add Apache 2.4 access control Require directives

Postby peternowee » 13 May 2016, 10:04

That Wiki page now covers only the cache directory. How about the other files and directories that were covered by .htaccess files (config.php, classes, locale, lock, schema, templates, utils)?

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Add Apache 2.4 access control Require directives

Postby fox » 13 May 2016, 10:51

arguably only config.php needs any special treatment (and only in one specific case where your server is malfunctioning so hard it just allows everyone to download .php files as plain text)

i looked over everything else and in my opinion forbidding access to anything else is not necessary, .htaccess files there were not really needed in the first place

e: updated the wiki page

peternowee
Bear Rating Trainee
Bear Rating Trainee
Posts: 6
Joined: 12 May 2016, 16:45

Re: Add Apache 2.4 access control Require directives

Postby peternowee » 13 May 2016, 11:20

Ok, thanks.

peternowee
Bear Rating Trainee
Bear Rating Trainee
Posts: 6
Joined: 12 May 2016, 16:45

Re: Add Apache 2.4 access control Require directives

Postby peternowee » 13 May 2016, 14:42


User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Add Apache 2.4 access control Require directives

Postby fox » 13 May 2016, 15:17

fair enough, i can update the wiki to use that syntax


Return to “Development”

Who is online

Users browsing this forum: No registered users and 3 guests