Project

General

Profile

Actions

Feature #2244

closed

protection, apache + mod_rails a.k.a. phusion passenger

Added by Keith Cascio almost 16 years ago. Updated almost 16 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
2008-11-28
Due date:
% Done:

0%

Estimated time:
Resolution:
Wont fix

Description

Now that many admins deploy Redmine using Apache + Phusion Passenger a.k.a. mod_rails or modrails, it makes sense to add .htaccess files to protect the non-public parts of Redmine from inadvertent/malicious download. Here's why:

If we use the Passenger sub-URI method to deploy Redmine, i.e. we simply copy a fresh distribution of Redmine anywhere under Apache's web document root, unless precautions are taken, we expose private files to download, e.g. config/database.yml

By my count, there are 13 first-level directories that would benefit from .htaccess protection: { app/ config/ db/ doc/ extra/ files/ lang/ lib/ log/ script/ test/ tmp/ vendor/ }

For each of those, you could add an .htaccess file (e.g. config/.htaccess) looking like this:

order deny,allow
deny from all
Actions

Also available in: Atom PDF