search

psi-4ward / docker-contao

Docker Container for Contao CMS
5 stars 0 forks source link

Insecure document root #2

Closed frostyandy2k closed 7 years ago

frostyandy2k commented 7 years ago

Due to the change in Contao 4 I cannot run the install tool because web is not the document root.

The apache servers /var/www, but contao will not be happy unless only web/ is seen from outside.

# ll /var/www/
total 260K
drwxr-xr-x  3 apache apache 4.0K Jul  3 14:49 app
drwxr-xr-x 25 apache apache 4.0K Jul  3 15:04 assets
drwxr-xr-x  2 apache apache 4.0K Jul  3 14:49 bin
-rw-r--r--  1 apache apache   37 Jul  3 14:49 CHANGELOG.md
-rw-r--r--  1 apache apache 2.4K Jul  3 14:49 composer.json
-rw-r--r--  1 apache apache 201K Jul  3 14:49 composer.lock
drwxr-xr-x  2 apache apache 4.0K Jul  3 14:53 files
-rw-r--r--  1 apache apache   17 Dec 11  2016 index.php
-rw-r--r--  1 apache apache 2.3K Jul  3 14:49 README.md
drwxr-xr-x  7 apache apache 4.0K Jul  3 14:53 system
drwxr-xr-x  2 apache apache 4.0K Jul  3 14:53 templates
drwxr-xr-x  4 apache apache 4.0K Jul  3 14:21 var
drwxr-xr-x 41 apache apache 4.0K Jul  3 15:04 vendor
drwxr-xr-x  7 apache apache 4.0K Jul  3 15:05 web
drwxr-xr-x  6 apache apache 4.0K Jul  3 15:02 website

I tried creating a virtual host but neither a2ensite or a2enmod are available in your container. How did you manage to run it?

Also there are no sites files. The apache2 folder is named httpd. However, all tutorials use: cp /etc/apache2/sites-available/default /etc/apache2/sites-available/example.com

Contao Error message:

What's the matter?

Your installation is not secure, because non-public resources are publicy available via HTTP.

How can I fix the issue?

Please set the document root to the web/ subfolder. This is usually done in the domain routing section of your server administration panel or in the vhosts file of your web server.

Tell me more, please

Contao 4 no longer relies on .htaccess files to protect folders and instead uses a public subfolder as document root. Anything above the document root must not be accessible via HTTP, otherwise anyone could download non-public resources including sensitive data such as configuration files.
psi-4ward commented 7 years ago

How did you start the container? Be sure to have the /var/www/compose.json from Contao 4 before you start. The container should adjust the DocumentRoot for you: https://github.com/psi-4ward/docker-contao/blob/master/rootfs/run-httpd#L4

frostyandy2k commented 7 years ago

Hi, I was probably doing something wrong or not copying the correct files. Thank you for your response, I will need some time to try it out thoroughly.

But now I understand how it works.