Fix single tick page. Fix nginx root configs. Add apache configs.

2025-06-11 18:31:08 -04:00 · 2025-06-11 18:31:08 -04:00 · 4fd9315f06
commit 4fd9315f06
parent 6852eaa35e
9 changed files with 206 additions and 87 deletions
--- a/examples/README.md
+++ b/examples/README.md
--- a/examples/apache/root/.htaccess
+++ b/examples/apache/root/.htaccess
@ -0,0 +1,59 @@
+# Enable mod_rewrite
+RewriteEngine On
+
+# Security headers
+# The first rule is to prevent including in a frame on a different domain.
+# Remove it if you want to do that.
+Header always set X-Frame-Options "SAMEORIGIN"
+Header always set X-XSS-Protection "1; mode=block"
+Header always set X-Content-Type-Options "nosniff"
+
+# Directory index
+# (Not actually used because everything gets handled by a rewrite rule
+# , but I'm keeping it for clarity about what's going on.)
+DirectoryIndex index.php
+
+# Deny access to hidden files (e.g. .htaccess)
+<FilesMatch "^\.">
+    Require all denied
+</FilesMatch>
+
+# Cache static files (excluding css/custom which goes through PHP)
+# Note that I don't actually serve most of this (just css)
+# but this prevents requests for static content from getting to the PHP handler.
+#
+# The /css/custom directory is excluded from this in a RewriteCond below:
+#     RewriteCond %{REQUEST_URI} !^/tkr/css/custom/
+#
+# Those requests are handled by the PHP app to serve custom css
+<FilesMatch "\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$">
+    ExpiresActive On
+    ExpiresDefault "access plus 1 year"
+    Header set Cache-Control "public, max-age=31536000, immutable"
+</FilesMatch>
+
+# Process PHP files
+<FilesMatch "\.php$">
+    SetHandler application/x-httpd-php
+</FilesMatch>
+
+# Skip rewriting if already in /tkr/public/ (prevents infinite loops)
+RewriteRule ^tkr/public/ - [L]
+
+# Block direct access to all .php files 
+# but allow internal rewrites to index.php
+RewriteCond %{THE_REQUEST} \.php [NC]
+RewriteRule ^.*\.php$ - [R=404,L]
+
+# Block access to sensitive directories
+RewriteRule ^(storage|src|templates|uploads|config)(/.*)?$ - [F,L]
+
+# If it's a static file that exists in /tkr/public, serve it directly
+# (but exclude css/custom which should go through PHP)
+RewriteCond %{REQUEST_URI} !^/css/custom/
+RewriteCond %{DOCUMENT_ROOT}/tkr/public%{REQUEST_URI} -f
+RewriteRule ^(.*)$ /tkr/public/$1 [L]
+
+# Send everything else to the front controller
+# (/tkr/public/index.php)
+RewriteRule ^.*$ /tkr/public/index.php [L]
--- a/examples/apache/subfolder/.htaccess
+++ b/examples/apache/subfolder/.htaccess
@ -0,0 +1,61 @@
+# Enable mod_rewrite
+RewriteEngine On
+
+# Security headers
+# The first rule is to prevent including in a frame on a different domain.
+# Remove it if you want to do that.
+Header always set X-Frame-Options "SAMEORIGIN"
+Header always set X-XSS-Protection "1; mode=block"
+Header always set X-Content-Type-Options "nosniff"
+
+# Directory index
+DirectoryIndex index.php
+
+# Deny access to hidden files (e.g. .htaccess)
+<FilesMatch "^\.">
+    Require all denied
+</FilesMatch>
+
+# Cache static files (excluding css/custom which goes through PHP)
+# Note that I don't actually serve most of this (just css)
+# but this prevents requests for static content from getting to the PHP handler.
+#
+# The /css/custom directory is excluded from this in a RewriteCond below:
+#     RewriteCond %{REQUEST_URI} !^/tkr/css/custom/
+#
+# Those requests are handled by the PHP app to serve custom css
+<FilesMatch "\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$">
+    ExpiresActive On
+    ExpiresDefault "access plus 1 year"
+    Header set Cache-Control "public, max-age=31536000, immutable"
+</FilesMatch>
+
+# Process PHP files
+<FilesMatch "\.php$">
+    SetHandler application/x-httpd-php
+</FilesMatch>
+
+# Skip rewriting if already in /tkr/public/ (prevents infinite loops)
+RewriteRule ^tkr/public/ - [L]
+
+# Block direct access to all .php files 
+# but allow internal rewrites to index.php
+RewriteCond %{THE_REQUEST} \.php [NC]
+RewriteRule ^.*\.php$ - [R=404,L]
+
+# Block access to sensitive directories under /tkr
+RewriteRule ^tkr/(storage|src|templates|uploads|config)(/.*)?$ - [F,L]
+
+# Handle /tkr requests
+# (keep the path after /tkr for the next directive)
+RewriteCond %{REQUEST_URI} ^/tkr(/.*)?$
+
+# If it's a static file that exists in /tkr/public, serve it directly
+# (e.g. /tkr/public/css/tkr.css)
+RewriteCond %{REQUEST_URI} !^/tkr/css/custom/
+RewriteCond %{DOCUMENT_ROOT}/tkr/public%1 -f
+RewriteRule ^tkr(/.*)?$ /tkr/public$1 [L]
+
+# Send everything else to the front controller
+# (/tkr/public/index.php)
+RewriteRule ^tkr(/.*)?$ /tkr/public/index.php [L]
--- a/examples/nginx/docker-compose.yml
+++ b/examples/nginx/docker-compose.yml
@ -1,33 +0,0 @@
-services:
-  nginx:
-    image: nginx:alpine
-    container_name: nginx-server
-    ports:
-      - "80:80"
-    volumes:
-      - ./public:/var/www/html/tkr/public
-      - ./examples/nginx/folder.conf:/etc/nginx/conf.d/default.conf
-    depends_on:
-      - php
-    restart: unless-stopped
-
-  php:
-    image: php:8.2-fpm-alpine
-    container_name: php-fpm
-    volumes:
-      - ./config:/var/www/html/tkr/config
-      - ./public:/var/www/html/tkr/public
-      - ./src:/var/www/html/tkr/src
-      - ./storage:/var/www/html/tkr/storage
-      - ./templates:/var/www/html/tkr/templates
-    command: >
-      sh -c "
-      chown -R www-data:www-data /var/www/html/tkr/storage &&
-      chmod -R 775 /var/www/html/tkr/storage &&
-      php-fpm
-      "
-    restart: unless-stopped
-
-volumes:
-  src:
-    driver: local
--- a/examples/nginx/root.conf
+++ b/examples/nginx/root.conf
@ -1,36 +0,0 @@
-server {
-    #listen 80 default_server;
-    listen 80;
-    root /app/public;
-
-    index index.php;
-
-    # Security headers
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header X-XSS-Protection "1; mode=block" always;
-    add_header X-Content-Type-Options "nosniff" always;
-
-    # Deny access to hidden files
-    location ~ /\. {
-        deny all;
-        access_log off;
-        log_not_found off;
-    }
-    
-    location ~ \.php$ {
-        fastcgi_pass php:9000;
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        fastcgi_param REQUEST_METHOD  $request_method;
-        fastcgi_param CONTENT_TYPE    $content_type;
-        fastcgi_param CONTENT_LENGTH  $content_length;
-        include fastcgi_params;     
-    }
-
-    location / {
-        try_files $uri $uri/ =404;
-    }
-
-    location ~* \.(htaccess|env|ini|log|bak)$ {
-        deny all;
-    }
-} 
--- a/examples/nginx/root/nginx.conf
+++ b/examples/nginx/root/nginx.conf
@ -0,0 +1,78 @@
+server {
+    listen 80;
+    server_name localhost;
+    
+    root /var/www/html/tkr/public;
+    index index.php;
+
+    # Security headers
+    # The first rule is to prevent including in a frame on a different domain.
+    # Remove it if you want to do that.
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header X-Content-Type-Options "nosniff" always;
+
+    # Deny access to hidden files
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    # PHP routing - everything goes through index.php
+    location / {
+        # Cache static files
+        # Note that I don't actually serve most of this (just css)
+        # but this prevents requests for static content from getting to the PHP handler.
+        #
+        # I've excluded /css/custom so that requests for uploaded css can be handled by the PHP app.
+        # That lets me store uploaded content outside of the document root,
+        # so it isn't served directly.
+        location ~* ^/(?!css/custom/).+\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+            expires 1y;
+            add_header Cache-Control "public, immutable";
+            try_files $uri =404;
+        }
+
+        # index.php is the entry point
+        # It needs to be sent to php-fpm
+        # But if someone tries to directly access index.php, that file will throw a 404
+        # so bots and scanners can't tell this is a php app
+        location = /index.php {
+            fastcgi_pass php:9000;
+            fastcgi_param SCRIPT_FILENAME /var/www/html/tkr/public/index.php;
+            include fastcgi_params;
+            
+            fastcgi_param REQUEST_METHOD $request_method;
+            fastcgi_param REQUEST_URI $request_uri;
+            fastcgi_param QUERY_STRING $query_string;
+        }
+
+        # Block attempts to access all other .php files directly
+        # (these are bots and scanners)
+        location ~ ^/.+\.php$ {
+            return 404;
+        } 
+
+        # forward other requests to the fallback block,
+        # which sends them to php-fpm for handling
+        try_files $uri $uri/ @tkr_fallback;
+    }
+
+    # Fallback for /tkr routing - all non-file requests (e.g. /login) go to index.php
+    location @tkr_fallback {
+        fastcgi_pass php:9000;
+        fastcgi_param SCRIPT_FILENAME /var/www/html/tkr/public/index.php;
+        include fastcgi_params;
+        
+        fastcgi_param REQUEST_METHOD $request_method;
+        fastcgi_param REQUEST_URI $request_uri;
+        fastcgi_param QUERY_STRING $query_string;
+    }
+
+    # Deny access to sensitive directories
+    location ~ ^/(storage|src|templates|uploads|config) {
+        deny all;
+        return 404;
+    }
+}
--- a/examples/nginx/subfolder/nginx.conf
+++ b/examples/nginx/subfolder/nginx.conf
@ -6,6 +6,8 @@ server {
    index index.html;

    # Security headers
+    # The first rule is to prevent including in a frame on a different domain.
+    # Remove it if you want to do that.
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
@ -44,7 +46,6 @@ server {
            fastcgi_param SCRIPT_FILENAME /var/www/html/tkr/public/index.php;
            include fastcgi_params;
            
-            # Additional FastCGI params
            fastcgi_param REQUEST_METHOD $request_method;
            fastcgi_param REQUEST_URI $request_uri;
            fastcgi_param QUERY_STRING $query_string;
@ -67,14 +68,13 @@ server {
        fastcgi_param SCRIPT_FILENAME /var/www/html/tkr/public/index.php;
        include fastcgi_params;
        
-        # Additional FastCGI params
        fastcgi_param REQUEST_METHOD $request_method;
        fastcgi_param REQUEST_URI $request_uri;
        fastcgi_param QUERY_STRING $query_string;
    }

    # Deny access to sensitive directories
-    location ~ ^/tkr/(storage|src|templates|vendor|uploads|config) {
+    location ~ ^/tkr/(storage|src|templates|uploads|config) {
        deny all;
        return 404;
    }
--- a/templates/partials/tick.php
+++ b/templates/partials/tick.php
@ -0,0 +1,5 @@
+<?php /** @var ConfigModel $config */ ?>
+<?php /** @var Date $tickTime */ ?>
+<?php /** @var string $tick */ ?>
+        <h1>Tick from <?= $tickTime->format('Y-m-d H:i:s'); ?></h1>
+        <p><?= $tick ?></p>
--- a/templates/tick.php
+++ b/templates/tick.php
@ -1,15 +0,0 @@
-<?php /** @var ConfigModel $config */ ?>
-<?php /** @var Date $tickTime */ ?>
-<?php /** @var string $tick */ ?>
-<!DOCTYPE html>
-<html lang="en">
-    <head>
-<?php include TEMPLATES_DIR . '/partials/head.php'?>
-    </head>
-    <body>
-<?php include TEMPLATES_DIR . '/partials/navbar.php'?>
-<!DOCTYPE html>
-        <h1>Tick from <?= $tickTime->format('Y-m-d H:i:s'); ?></h1>
-        <p><?= $tick ?></p>
-    </body>
-</html>