diff --git a/docs/en/installation/nginx.md b/docs/en/installation/nginx.md index 3a8d34e35..b9390385d 100644 --- a/docs/en/installation/nginx.md +++ b/docs/en/installation/nginx.md @@ -19,7 +19,7 @@ configuration settings: index index.php index.html index.htm; server_name example.com; - + include silverstripe3; include htaccess; } @@ -29,7 +29,7 @@ Here is the include file `silverstripe3`: location / { try_files $uri @silverstripe; } - + location @silverstripe { include fastcgi_params; @@ -68,6 +68,11 @@ Here is the include file `htaccess`: try_files $uri $uri/ =404; } + # Block access to yaml files + location ~ \.yml$ { + deny all; + } + # cms & framework .htaccess rules location ~ ^/(cms|framework|mysite)/.*\.(php|php[345]|phtml|inc)$ { deny all; diff --git a/docs/en/installation/webserver.md b/docs/en/installation/webserver.md index dffadc211..addf9319f 100644 --- a/docs/en/installation/webserver.md +++ b/docs/en/installation/webserver.md @@ -26,4 +26,18 @@ name' and the default login details. Follow the questions and select the *instal ## Issues? -If the above steps don't work for any reason have a read of the [Common Problems](common-problems) section. \ No newline at end of file +If the above steps don't work for any reason have a read of the [Common Problems](common-problems) section. + +## Security notes + +### Yaml + +For the reasons explained in [security](/topics/security) Yaml files are blocked by default by the .htaccess file +provided by the SilverStripe installer module. + +To allow serving yaml files from a specific directory, add code like this to an .htaccess file in that directory + + + Order allow,deny + Allow from all + diff --git a/docs/en/topics/security.md b/docs/en/topics/security.md index 5d20481af..fff3e792d 100644 --- a/docs/en/topics/security.md +++ b/docs/en/topics/security.md @@ -363,6 +363,16 @@ file in the assets directory. This requires PHP to be loaded as an Apache modul php_flag engine off Options -ExecCGI -Includes -Indexes +### Don't allow access to .yml files + +Yaml files are often used to store sensitive or semi-sensitive data for use by SilverStripe framework (for instance, +configuration and test fixtures). + +You should therefore block access to all yaml files (extension .yml) by default, and white list only yaml files +you need to serve directly. + +See [Apache](/installation/webserver) and [Nginx](/installation/nginx) installation documentation for details +specific to your web server ## Related