145 lines
5.5 KiB
YAML
145 lines
5.5 KiB
YAML
---
|
|
Name: requestprocessors
|
|
---
|
|
SilverStripe\Core\Injector\Injector:
|
|
SilverStripe\Control\Director:
|
|
# Note: Don't add 'class' config here, as it will affect ErrorDirector as well
|
|
properties:
|
|
Middlewares:
|
|
TrustedProxyMiddleware: '%$SilverStripe\Control\Middleware\TrustedProxyMiddleware'
|
|
AllowedHostsMiddleware: '%$SilverStripe\Control\Middleware\AllowedHostsMiddleware'
|
|
SessionMiddleware: '%$SilverStripe\Control\Middleware\SessionMiddleware'
|
|
RequestProcessorMiddleware: '%$SilverStripe\Control\RequestProcessor'
|
|
FlushMiddleware: '%$SilverStripe\Control\Middleware\FlushMiddleware'
|
|
ChangeDetectionMiddleware: '%$SilverStripe\Control\Middleware\ChangeDetectionMiddleware'
|
|
HTTPCacheControleMiddleware: '%$SilverStripe\Control\Middleware\HTTPCacheControlMiddleware'
|
|
CanonicalURLMiddleware: '%$SilverStripe\Control\Middleware\CanonicalURLMiddleware'
|
|
SilverStripe\Control\Middleware\AllowedHostsMiddleware:
|
|
properties:
|
|
AllowedHosts: '`SS_ALLOWED_HOSTS`'
|
|
SilverStripe\Control\Middleware\TrustedProxyMiddleware:
|
|
properties:
|
|
TrustedProxyIPs: '`SS_TRUSTED_PROXY_IPS`'
|
|
SecurityRateLimitMiddleware:
|
|
class: SilverStripe\Control\Middleware\RateLimitMiddleware
|
|
properties:
|
|
ExtraKey: 'Security'
|
|
MaxAttempts: 10
|
|
Decay: 1
|
|
RateLimitedSecurityController:
|
|
class: SilverStripe\Control\Middleware\RequestHandlerMiddlewareAdapter
|
|
properties:
|
|
RequestHandler: '%$SilverStripe\Security\Security'
|
|
Middlewares:
|
|
- '%$SecurityRateLimitMiddleware'
|
|
|
|
---
|
|
Name: errorrequestprocessors
|
|
After:
|
|
- '#requestprocessors'
|
|
---
|
|
SilverStripe\Core\Injector\Injector:
|
|
# Note: If Director config changes, take note it will affect this config too
|
|
SilverStripe\Core\Startup\ErrorDirector: '%$SilverStripe\Control\Director'
|
|
|
|
|
|
---
|
|
Name: canonicalurls
|
|
---
|
|
SilverStripe\Core\Injector\Injector:
|
|
SilverStripe\Control\Middleware\CanonicalURLMiddleware:
|
|
properties:
|
|
ForceSSL: false
|
|
ForceWWW: false
|
|
|
|
|
|
---
|
|
Name: url_specials-middleware
|
|
After:
|
|
- 'requestprocessors'
|
|
- 'coresecurity'
|
|
---
|
|
SilverStripe\Core\Injector\Injector:
|
|
SilverStripe\Control\Director:
|
|
properties:
|
|
Middlewares:
|
|
URLSpecialsMiddleware: '%$SilverStripe\Control\Middleware\URLSpecialsMiddleware'
|
|
|
|
SilverStripe\Control\Middleware\URLSpecialsMiddleware:
|
|
class: SilverStripe\Control\Middleware\URLSpecialsMiddleware
|
|
properties:
|
|
ConfirmationStorageId: 'url-specials'
|
|
ConfirmationFormUrl: '/dev/confirm'
|
|
Bypasses:
|
|
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\CliBypass'
|
|
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\EnvironmentBypass("dev")'
|
|
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev/confirm")'
|
|
EnforceAuthentication: true
|
|
AffectedPermissions:
|
|
- ADMIN
|
|
|
|
|
|
---
|
|
Name: dev_urls-confirmation-middleware
|
|
After:
|
|
- 'url_specials-middleware'
|
|
---
|
|
# This middleware enforces confirmation (CSRF protection) for all URLs
|
|
# that start with "dev/*", with the exception for "dev/build" which is handled
|
|
# by url_specials-middleware
|
|
|
|
# If you want to make exceptions for some URLs,
|
|
# see "dev_urls-confirmation-exceptions" config
|
|
|
|
SilverStripe\Core\Injector\Injector:
|
|
SilverStripe\Control\Director:
|
|
properties:
|
|
Middlewares:
|
|
DevUrlsConfirmationMiddleware: '%$DevUrlsConfirmationMiddleware'
|
|
|
|
DevUrlsConfirmationMiddleware:
|
|
class: SilverStripe\Control\Middleware\PermissionAwareConfirmationMiddleware
|
|
constructor:
|
|
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev")'
|
|
properties:
|
|
ConfirmationStorageId: 'dev-urls'
|
|
ConfirmationFormUrl: '/dev/confirm'
|
|
Bypasses:
|
|
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\CliBypass'
|
|
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\EnvironmentBypass("dev")'
|
|
EnforceAuthentication: false
|
|
AffectedPermissions:
|
|
- ADMIN
|
|
|
|
---
|
|
Name: dev_urls-confirmation-exceptions
|
|
After:
|
|
- 'dev_urls-confirmation-middleware'
|
|
---
|
|
# This config is the place to add custom bypasses for modules providing UIs
|
|
# on top of DevelopmentAdmin (dev/*)
|
|
|
|
# If the module has its own CSRF protection, the easiest way would be to
|
|
# simply add UrlPathStartswith with the path to the mount point.
|
|
# Example:
|
|
# # This will prevent confirmation for all URLs starting with "dev/custom-module-endpoint/"
|
|
# # WARNING: this won't prevent confirmation for "dev/custom-module-endpoint-suffix/"
|
|
# - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev/custom-module-endpoint")'
|
|
|
|
# If the module does not implement its own CSRF protection but exposes all
|
|
# dangerous effects through POST, then you could simply exclude GET and HEAD requests
|
|
# by using HttpMethodBypass("GET", "HEAD"). In that case GET/HEAD requests will not
|
|
# trigger confirmation redirects.
|
|
SilverStripe\Core\Injector\Injector:
|
|
DevUrlsConfirmationMiddleware:
|
|
properties:
|
|
Bypasses:
|
|
# dev/build is covered by URLSpecialsMiddleware
|
|
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev/build")'
|
|
|
|
# The confirmation form is where people will be redirected for confirmation. We don't want to block it.
|
|
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev/confirm")'
|
|
|
|
# Allows GET requests to the dev index page
|
|
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\Url("dev", ["GET", "HEAD"])'
|