From 6a7950aa34a7091105f93058033673cbacddc480 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Ba=C4=8Do?= Date: Mon, 18 Sep 2023 12:27:47 +0200 Subject: [PATCH 1/7] Add function domains force https --- .env | 1 + app/config/variables.php | 11 ++++++++++- app/controllers/general.php | 12 +++++++++++- app/views/install/compose.phtml | 2 ++ docker-compose.yml | 2 ++ src/Appwrite/Platform/Tasks/Doctor.php | 6 ++++++ tests/resources/docker/docker-compose.yml | 1 + 7 files changed, 33 insertions(+), 2 deletions(-) diff --git a/.env b/.env index 189095e9e5..9d09b00dff 100644 --- a/.env +++ b/.env @@ -10,6 +10,7 @@ _APP_SYSTEM_SECURITY_EMAIL_ADDRESS=security@appwrite.io _APP_SYSTEM_RESPONSE_FORMAT= _APP_OPTIONS_ABUSE=disabled _APP_OPTIONS_FORCE_HTTPS=disabled +_APP_OPTIONS_FORCE_FUNCTIONS_HTTPS=disabled _APP_OPENSSL_KEY_V1=your-secret-key _APP_DOMAIN=localhost _APP_DOMAIN_FUNCTIONS=functions.localhost diff --git a/app/config/variables.php b/app/config/variables.php index 5d8c0eaa2e..9e99695ef3 100644 --- a/app/config/variables.php +++ b/app/config/variables.php @@ -36,7 +36,16 @@ return [ ], [ 'name' => '_APP_OPTIONS_FORCE_HTTPS', - 'description' => 'Allows you to force HTTPS connection to your API. This feature redirects any HTTP call to HTTPS and adds the \'Strict-Transport-Security\' header to all HTTP responses. By default, set to \'enabled\'. To disable, set to \'disabled\'. This feature will work only when your ports are set to default 80 and 443.', + 'description' => 'Allows you to force HTTPS connection to your API. This feature redirects any HTTP call to HTTPS and adds the \'Strict-Transport-Security\' header to all HTTP responses. By default, set to \'enabled\'. To disable, set to \'disabled\'. This feature will work only when your ports are set to default 80 and 443, and you have set up wildcard certificates with DNS challenge.', + 'introduction' => '', + 'default' => 'disabled', + 'required' => false, + 'question' => '', + 'filter' => '' + ], + [ + 'name' => '_APP_OPTIONS_FORCE_FUNCTIONS_HTTPS', + 'description' => 'Allows you to force HTTPS connection to function domains. This feature redirects any HTTP call to HTTPS and adds the \'Strict-Transport-Security\' header to all HTTP responses. By default, set to \'enabled\'. To disable, set to \'disabled\'. This feature will work only when your ports are set to default 80 and 443.', 'introduction' => '', 'default' => 'disabled', 'required' => false, diff --git a/app/controllers/general.php b/app/controllers/general.php index d47b863574..6d1b78c0be 100644 --- a/app/controllers/general.php +++ b/app/controllers/general.php @@ -83,6 +83,16 @@ function router(App $utopia, Database $dbForConsole, SwooleRequest $swooleReques $type = $route->getAttribute('resourceType'); if ($type === 'function') { + if (App::getEnv('_APP_OPTIONS_FORCE_FUNCTIONS_HTTPS', 'disabled') === 'enabled') { // Force HTTPS + if ($request->getProtocol() !== 'https') { + if ($request->getMethod() !== Request::METHOD_GET) { + throw new AppwriteException(AppwriteException::GENERAL_PROTOCOL_UNSUPPORTED, 'Method unsupported over HTTP. Please use HTTPS instead.'); + } + + return $response->redirect('https://' . $request->getHostname() . $request->getURI()); + } + } + $functionId = $route->getAttribute('resourceId'); $projectId = $route->getAttribute('projectId'); @@ -380,7 +390,7 @@ App::init() if (App::getEnv('_APP_OPTIONS_FORCE_HTTPS', 'disabled') === 'enabled') { // Force HTTPS if ($request->getProtocol() !== 'https' && ($swooleRequest->header['host'] ?? '') !== 'localhost' && ($swooleRequest->header['host'] ?? '') !== APP_HOSTNAME_INTERNAL) { // localhost allowed for proxy, APP_HOSTNAME_INTERNAL allowed for migrations if ($request->getMethod() !== Request::METHOD_GET) { - throw new AppwriteException(AppwriteException::GENERAL_PROTOCOL_UNSUPPORTED, 'Method unsupported over HTTP.'); + throw new AppwriteException(AppwriteException::GENERAL_PROTOCOL_UNSUPPORTED, 'Method unsupported over HTTP. Please use HTTPS instead.'); } return $response->redirect('https://' . $request->getHostname() . $request->getURI()); diff --git a/app/views/install/compose.phtml b/app/views/install/compose.phtml index d59f97b9da..a6d9f7ad9e 100644 --- a/app/views/install/compose.phtml +++ b/app/views/install/compose.phtml @@ -85,6 +85,7 @@ services: - _APP_SYSTEM_RESPONSE_FORMAT - _APP_OPTIONS_ABUSE - _APP_OPTIONS_FORCE_HTTPS + - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS - _APP_OPENSSL_KEY_V1 - _APP_DOMAIN - _APP_DOMAIN_TARGET @@ -382,6 +383,7 @@ services: - _APP_FUNCTIONS_CPUS - _APP_FUNCTIONS_MEMORY - _APP_OPTIONS_FORCE_HTTPS + - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS - _APP_DOMAIN - _APP_STORAGE_DEVICE - _APP_STORAGE_S3_ACCESS_KEY diff --git a/docker-compose.yml b/docker-compose.yml index a6c1018d3c..914ce480e3 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -106,6 +106,7 @@ services: - _APP_SYSTEM_RESPONSE_FORMAT - _APP_OPTIONS_ABUSE - _APP_OPTIONS_FORCE_HTTPS + - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS - _APP_OPENSSL_KEY_V1 - _APP_DOMAIN - _APP_DOMAIN_TARGET @@ -417,6 +418,7 @@ services: - _APP_FUNCTIONS_CPUS - _APP_FUNCTIONS_MEMORY - _APP_OPTIONS_FORCE_HTTPS + - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS - _APP_DOMAIN - _APP_STORAGE_DEVICE - _APP_STORAGE_S3_ACCESS_KEY diff --git a/src/Appwrite/Platform/Tasks/Doctor.php b/src/Appwrite/Platform/Tasks/Doctor.php index 423dd78fe7..e5e2e38736 100644 --- a/src/Appwrite/Platform/Tasks/Doctor.php +++ b/src/Appwrite/Platform/Tasks/Doctor.php @@ -93,6 +93,12 @@ class Doctor extends Action Console::log('🟢 HTTPS force option is enabled'); } + if ('enabled' !== App::getEnv('_APP_OPTIONS_FORCE_FUNCTIONS_HTTPS', 'disabled')) { + Console::log('🔴 HTTPS force option is disabled for function domains'); + } else { + Console::log('🟢 HTTPS force option is enabled for function domains'); + } + $providerName = App::getEnv('_APP_LOGGING_PROVIDER', ''); $providerConfig = App::getEnv('_APP_LOGGING_CONFIG', ''); diff --git a/tests/resources/docker/docker-compose.yml b/tests/resources/docker/docker-compose.yml index 3baae7316d..5377bf0cdc 100644 --- a/tests/resources/docker/docker-compose.yml +++ b/tests/resources/docker/docker-compose.yml @@ -67,6 +67,7 @@ services: - _APP_ENV - _APP_OPTIONS_ABUSE - _APP_OPTIONS_FORCE_HTTPS + - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS - _APP_OPENSSL_KEY_V1 - _APP_DOMAIN - _APP_DOMAIN_FUNCTIONS From a1049bd2d5d970f7422a1faa55b298601200860d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Ba=C4=8Do?= Date: Mon, 18 Sep 2023 13:18:58 +0200 Subject: [PATCH 2/7] Implement router protection --- .env | 1 + app/controllers/general.php | 18 ++++++++++++++++-- app/controllers/web/console.php | 10 +++++++++- docker-compose.yml | 2 ++ 4 files changed, 28 insertions(+), 3 deletions(-) diff --git a/.env b/.env index 189095e9e5..0bed611fca 100644 --- a/.env +++ b/.env @@ -9,6 +9,7 @@ _APP_SYSTEM_EMAIL_ADDRESS=team@appwrite.io _APP_SYSTEM_SECURITY_EMAIL_ADDRESS=security@appwrite.io _APP_SYSTEM_RESPONSE_FORMAT= _APP_OPTIONS_ABUSE=disabled +_APP_OPTIONS_ROUTER_PROTECTION=enabled _APP_OPTIONS_FORCE_HTTPS=disabled _APP_OPENSSL_KEY_V1=your-secret-key _APP_DOMAIN=localhost diff --git a/app/controllers/general.php b/app/controllers/general.php index d47b863574..3cf78ed4d9 100644 --- a/app/controllers/general.php +++ b/app/controllers/general.php @@ -47,6 +47,8 @@ Config::setParam('cookieSamesite', Response::COOKIE_SAMESITE_NONE); function router(App $utopia, Database $dbForConsole, SwooleRequest $swooleRequest, Request $request, Response $response) { + $utopia->getRoute()?->label('error', __DIR__ . '/../views/general/error.phtml'); + $host = $request->getHostname() ?? ''; $route = Authorization::skip( @@ -57,12 +59,23 @@ function router(App $utopia, Database $dbForConsole, SwooleRequest $swooleReques )[0] ?? null; if ($route === null) { + if($host === App::getEnv('_APP_DOMAIN_FUNCTIONS', '')) { + throw new AppwriteException(AppwriteException::GENERAL_ACCESS_FORBIDDEN, 'This domain cannot be used for security reasons. Please use any subdomain instead.'); + } + + if(\str_ends_with($host, App::getEnv('_APP_DOMAIN_FUNCTIONS', ''))) { + throw new AppwriteException(AppwriteException::GENERAL_ACCESS_FORBIDDEN, 'This domain is not connected to any Appwrite resource yet. Please configure custom domain or function domain to allow this request.'); + } + + if(App::getEnv('_APP_OPTIONS_ROUTER_PROTECTION', 'disabled') === 'enabled') { + throw new AppwriteException(AppwriteException::GENERAL_ACCESS_FORBIDDEN, 'Router protection does not allow accessing Appwrite over this domain. Please add it as custom domain to your project or disable _APP_OPTIONS_ROUTER_PROTECTION environment variable.'); + } + // Act as API - no Proxy logic + $utopia->getRoute()?->label('error', ''); return false; } - $utopia->getRoute()?->label('error', __DIR__ . '/../views/general/error.phtml'); - $projectId = $route->getAttribute('projectId'); $project = Authorization::skip( fn () => $dbForConsole->getDocument('projects', $projectId) @@ -164,6 +177,7 @@ function router(App $utopia, Database $dbForConsole, SwooleRequest $swooleReques throw new AppwriteException(AppwriteException::GENERAL_SERVER_ERROR, 'Unknown resource type ' . $type); } + $utopia->getRoute()?->label('error', ''); return false; } diff --git a/app/controllers/web/console.php b/app/controllers/web/console.php index 4a6f15df3a..ccb088e6ed 100644 --- a/app/controllers/web/console.php +++ b/app/controllers/web/console.php @@ -28,9 +28,17 @@ App::get('/console/*') ->groups(['web']) ->label('permission', 'public') ->label('scope', 'home') + ->inject('utopia') ->inject('request') ->inject('response') - ->action(function (Request $request, Response $response) { + ->action(function (App $utopia, Request $request, Response $response) { + $host = $request->getHostname() ?? ''; + $mainDomain = App::getEnv('_APP_DOMAIN', ''); + if(App::getEnv('_APP_OPTIONS_ROUTER_PROTECTION', 'disabled') === 'enabled' && $host !== $mainDomain) { + $utopia->getRoute()?->label('error', __DIR__ . '/../../views/general/error.phtml'); + throw new Exception(Exception::GENERAL_ACCESS_FORBIDDEN, 'Router protection does not allow accessing Appwrite Console over custom domain. Please disable _APP_OPTIONS_ROUTER_PROTECTION environment variable.'); + } + $fallback = file_get_contents(__DIR__ . '/../../../console/index.html'); // Card SSR diff --git a/docker-compose.yml b/docker-compose.yml index a6c1018d3c..231a7b2170 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -105,6 +105,7 @@ services: - _APP_SYSTEM_SECURITY_EMAIL_ADDRESS - _APP_SYSTEM_RESPONSE_FORMAT - _APP_OPTIONS_ABUSE + - _APP_OPTIONS_ROUTER_PROTECTION - _APP_OPTIONS_FORCE_HTTPS - _APP_OPENSSL_KEY_V1 - _APP_DOMAIN @@ -222,6 +223,7 @@ services: - _APP_ENV - _APP_WORKER_PER_CORE - _APP_OPTIONS_ABUSE + - _APP_OPTIONS_ROUTER_PROTECTION - _APP_OPENSSL_KEY_V1 - _APP_REDIS_HOST - _APP_REDIS_PORT From 6afba0b9c901d14b17741dec083c6a7b4c051aab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Ba=C4=8Do?= Date: Mon, 18 Sep 2023 13:22:06 +0200 Subject: [PATCH 3/7] Linter fix --- app/controllers/general.php | 8 ++++---- app/controllers/web/console.php | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/app/controllers/general.php b/app/controllers/general.php index 3cf78ed4d9..16605a597a 100644 --- a/app/controllers/general.php +++ b/app/controllers/general.php @@ -59,15 +59,15 @@ function router(App $utopia, Database $dbForConsole, SwooleRequest $swooleReques )[0] ?? null; if ($route === null) { - if($host === App::getEnv('_APP_DOMAIN_FUNCTIONS', '')) { + if ($host === App::getEnv('_APP_DOMAIN_FUNCTIONS', '')) { throw new AppwriteException(AppwriteException::GENERAL_ACCESS_FORBIDDEN, 'This domain cannot be used for security reasons. Please use any subdomain instead.'); } - - if(\str_ends_with($host, App::getEnv('_APP_DOMAIN_FUNCTIONS', ''))) { + + if (\str_ends_with($host, App::getEnv('_APP_DOMAIN_FUNCTIONS', ''))) { throw new AppwriteException(AppwriteException::GENERAL_ACCESS_FORBIDDEN, 'This domain is not connected to any Appwrite resource yet. Please configure custom domain or function domain to allow this request.'); } - if(App::getEnv('_APP_OPTIONS_ROUTER_PROTECTION', 'disabled') === 'enabled') { + if (App::getEnv('_APP_OPTIONS_ROUTER_PROTECTION', 'disabled') === 'enabled') { throw new AppwriteException(AppwriteException::GENERAL_ACCESS_FORBIDDEN, 'Router protection does not allow accessing Appwrite over this domain. Please add it as custom domain to your project or disable _APP_OPTIONS_ROUTER_PROTECTION environment variable.'); } diff --git a/app/controllers/web/console.php b/app/controllers/web/console.php index ccb088e6ed..01e985fc16 100644 --- a/app/controllers/web/console.php +++ b/app/controllers/web/console.php @@ -34,7 +34,7 @@ App::get('/console/*') ->action(function (App $utopia, Request $request, Response $response) { $host = $request->getHostname() ?? ''; $mainDomain = App::getEnv('_APP_DOMAIN', ''); - if(App::getEnv('_APP_OPTIONS_ROUTER_PROTECTION', 'disabled') === 'enabled' && $host !== $mainDomain) { + if (App::getEnv('_APP_OPTIONS_ROUTER_PROTECTION', 'disabled') === 'enabled' && $host !== $mainDomain) { $utopia->getRoute()?->label('error', __DIR__ . '/../../views/general/error.phtml'); throw new Exception(Exception::GENERAL_ACCESS_FORBIDDEN, 'Router protection does not allow accessing Appwrite Console over custom domain. Please disable _APP_OPTIONS_ROUTER_PROTECTION environment variable.'); } From 544f35ef2f57da3cadd01afaeaf39ae70b9ffac5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Ba=C4=8Do?= Date: Mon, 18 Sep 2023 13:24:43 +0200 Subject: [PATCH 4/7] env var disabled by default router protection --- .env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.env b/.env index 0bed611fca..777b3ef76f 100644 --- a/.env +++ b/.env @@ -9,7 +9,7 @@ _APP_SYSTEM_EMAIL_ADDRESS=team@appwrite.io _APP_SYSTEM_SECURITY_EMAIL_ADDRESS=security@appwrite.io _APP_SYSTEM_RESPONSE_FORMAT= _APP_OPTIONS_ABUSE=disabled -_APP_OPTIONS_ROUTER_PROTECTION=enabled +_APP_OPTIONS_ROUTER_PROTECTION=disbled _APP_OPTIONS_FORCE_HTTPS=disabled _APP_OPENSSL_KEY_V1=your-secret-key _APP_DOMAIN=localhost From d87dbad7682ca208bc20d7bf5f8d6c8ab7f0a960 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Ba=C4=8Do?= Date: Tue, 19 Sep 2023 09:31:57 +0200 Subject: [PATCH 5/7] PR review changes --- .env | 2 +- app/config/variables.php | 2 +- app/controllers/general.php | 2 +- app/views/install/compose.phtml | 4 ++-- docker-compose.yml | 4 ++-- src/Appwrite/Platform/Tasks/Doctor.php | 2 +- tests/resources/docker/docker-compose.yml | 2 +- 7 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.env b/.env index 9d09b00dff..8de3ada7f3 100644 --- a/.env +++ b/.env @@ -10,7 +10,7 @@ _APP_SYSTEM_SECURITY_EMAIL_ADDRESS=security@appwrite.io _APP_SYSTEM_RESPONSE_FORMAT= _APP_OPTIONS_ABUSE=disabled _APP_OPTIONS_FORCE_HTTPS=disabled -_APP_OPTIONS_FORCE_FUNCTIONS_HTTPS=disabled +_APP_OPTIONS_FORCE_HTTPS_FUNCTIONS=disabled _APP_OPENSSL_KEY_V1=your-secret-key _APP_DOMAIN=localhost _APP_DOMAIN_FUNCTIONS=functions.localhost diff --git a/app/config/variables.php b/app/config/variables.php index 9e99695ef3..74339c43ac 100644 --- a/app/config/variables.php +++ b/app/config/variables.php @@ -44,7 +44,7 @@ return [ 'filter' => '' ], [ - 'name' => '_APP_OPTIONS_FORCE_FUNCTIONS_HTTPS', + 'name' => '_APP_OPTIONS_FORCE_HTTPS_FUNCTIONS', 'description' => 'Allows you to force HTTPS connection to function domains. This feature redirects any HTTP call to HTTPS and adds the \'Strict-Transport-Security\' header to all HTTP responses. By default, set to \'enabled\'. To disable, set to \'disabled\'. This feature will work only when your ports are set to default 80 and 443.', 'introduction' => '', 'default' => 'disabled', diff --git a/app/controllers/general.php b/app/controllers/general.php index 6d1b78c0be..345ef2d547 100644 --- a/app/controllers/general.php +++ b/app/controllers/general.php @@ -83,7 +83,7 @@ function router(App $utopia, Database $dbForConsole, SwooleRequest $swooleReques $type = $route->getAttribute('resourceType'); if ($type === 'function') { - if (App::getEnv('_APP_OPTIONS_FORCE_FUNCTIONS_HTTPS', 'disabled') === 'enabled') { // Force HTTPS + if (App::getEnv('_APP_OPTIONS_FORCE_HTTPS_FUNCTIONS', 'disabled') === 'enabled') { // Force HTTPS if ($request->getProtocol() !== 'https') { if ($request->getMethod() !== Request::METHOD_GET) { throw new AppwriteException(AppwriteException::GENERAL_PROTOCOL_UNSUPPORTED, 'Method unsupported over HTTP. Please use HTTPS instead.'); diff --git a/app/views/install/compose.phtml b/app/views/install/compose.phtml index a6d9f7ad9e..86208bf48c 100644 --- a/app/views/install/compose.phtml +++ b/app/views/install/compose.phtml @@ -85,7 +85,7 @@ services: - _APP_SYSTEM_RESPONSE_FORMAT - _APP_OPTIONS_ABUSE - _APP_OPTIONS_FORCE_HTTPS - - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS + - _APP_OPTIONS_FORCE_HTTPS_FUNCTIONS - _APP_OPENSSL_KEY_V1 - _APP_DOMAIN - _APP_DOMAIN_TARGET @@ -383,7 +383,7 @@ services: - _APP_FUNCTIONS_CPUS - _APP_FUNCTIONS_MEMORY - _APP_OPTIONS_FORCE_HTTPS - - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS + - _APP_OPTIONS_FORCE_HTTPS_FUNCTIONS - _APP_DOMAIN - _APP_STORAGE_DEVICE - _APP_STORAGE_S3_ACCESS_KEY diff --git a/docker-compose.yml b/docker-compose.yml index 914ce480e3..345e814cdd 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -106,7 +106,7 @@ services: - _APP_SYSTEM_RESPONSE_FORMAT - _APP_OPTIONS_ABUSE - _APP_OPTIONS_FORCE_HTTPS - - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS + - _APP_OPTIONS_FORCE_HTTPS_FUNCTIONS - _APP_OPENSSL_KEY_V1 - _APP_DOMAIN - _APP_DOMAIN_TARGET @@ -418,7 +418,7 @@ services: - _APP_FUNCTIONS_CPUS - _APP_FUNCTIONS_MEMORY - _APP_OPTIONS_FORCE_HTTPS - - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS + - _APP_OPTIONS_FORCE_HTTPS_FUNCTIONS - _APP_DOMAIN - _APP_STORAGE_DEVICE - _APP_STORAGE_S3_ACCESS_KEY diff --git a/src/Appwrite/Platform/Tasks/Doctor.php b/src/Appwrite/Platform/Tasks/Doctor.php index e5e2e38736..89b195c1d7 100644 --- a/src/Appwrite/Platform/Tasks/Doctor.php +++ b/src/Appwrite/Platform/Tasks/Doctor.php @@ -93,7 +93,7 @@ class Doctor extends Action Console::log('🟢 HTTPS force option is enabled'); } - if ('enabled' !== App::getEnv('_APP_OPTIONS_FORCE_FUNCTIONS_HTTPS', 'disabled')) { + if ('enabled' !== App::getEnv('_APP_OPTIONS_FORCE_HTTPS_FUNCTIONS', 'disabled')) { Console::log('🔴 HTTPS force option is disabled for function domains'); } else { Console::log('🟢 HTTPS force option is enabled for function domains'); diff --git a/tests/resources/docker/docker-compose.yml b/tests/resources/docker/docker-compose.yml index 5377bf0cdc..d9c2a21414 100644 --- a/tests/resources/docker/docker-compose.yml +++ b/tests/resources/docker/docker-compose.yml @@ -67,7 +67,7 @@ services: - _APP_ENV - _APP_OPTIONS_ABUSE - _APP_OPTIONS_FORCE_HTTPS - - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS + - _APP_OPTIONS_FORCE_HTTPS_FUNCTIONS - _APP_OPENSSL_KEY_V1 - _APP_DOMAIN - _APP_DOMAIN_FUNCTIONS From 8926d24a0d79082458f33c0897eb41942d3a0a3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Ba=C4=8Do?= Date: Tue, 19 Sep 2023 09:35:32 +0200 Subject: [PATCH 6/7] One more env var rename --- .env | 2 +- app/config/variables.php | 2 +- app/controllers/general.php | 2 +- app/views/install/compose.phtml | 4 ++-- docker-compose.yml | 4 ++-- src/Appwrite/Platform/Tasks/Doctor.php | 2 +- tests/resources/docker/docker-compose.yml | 2 +- 7 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.env b/.env index 8de3ada7f3..c1ccc71182 100644 --- a/.env +++ b/.env @@ -10,7 +10,7 @@ _APP_SYSTEM_SECURITY_EMAIL_ADDRESS=security@appwrite.io _APP_SYSTEM_RESPONSE_FORMAT= _APP_OPTIONS_ABUSE=disabled _APP_OPTIONS_FORCE_HTTPS=disabled -_APP_OPTIONS_FORCE_HTTPS_FUNCTIONS=disabled +_APP_OPTIONS_FUNCTIONS_FORCE_HTTPS=disabled _APP_OPENSSL_KEY_V1=your-secret-key _APP_DOMAIN=localhost _APP_DOMAIN_FUNCTIONS=functions.localhost diff --git a/app/config/variables.php b/app/config/variables.php index 74339c43ac..7685f3f735 100644 --- a/app/config/variables.php +++ b/app/config/variables.php @@ -44,7 +44,7 @@ return [ 'filter' => '' ], [ - 'name' => '_APP_OPTIONS_FORCE_HTTPS_FUNCTIONS', + 'name' => '_APP_OPTIONS_FUNCTIONS_FORCE_HTTPS', 'description' => 'Allows you to force HTTPS connection to function domains. This feature redirects any HTTP call to HTTPS and adds the \'Strict-Transport-Security\' header to all HTTP responses. By default, set to \'enabled\'. To disable, set to \'disabled\'. This feature will work only when your ports are set to default 80 and 443.', 'introduction' => '', 'default' => 'disabled', diff --git a/app/controllers/general.php b/app/controllers/general.php index 345ef2d547..6da34cf1c2 100644 --- a/app/controllers/general.php +++ b/app/controllers/general.php @@ -83,7 +83,7 @@ function router(App $utopia, Database $dbForConsole, SwooleRequest $swooleReques $type = $route->getAttribute('resourceType'); if ($type === 'function') { - if (App::getEnv('_APP_OPTIONS_FORCE_HTTPS_FUNCTIONS', 'disabled') === 'enabled') { // Force HTTPS + if (App::getEnv('_APP_OPTIONS_FUNCTIONS_FORCE_HTTPS', 'disabled') === 'enabled') { // Force HTTPS if ($request->getProtocol() !== 'https') { if ($request->getMethod() !== Request::METHOD_GET) { throw new AppwriteException(AppwriteException::GENERAL_PROTOCOL_UNSUPPORTED, 'Method unsupported over HTTP. Please use HTTPS instead.'); diff --git a/app/views/install/compose.phtml b/app/views/install/compose.phtml index 86208bf48c..be43debd3f 100644 --- a/app/views/install/compose.phtml +++ b/app/views/install/compose.phtml @@ -85,7 +85,7 @@ services: - _APP_SYSTEM_RESPONSE_FORMAT - _APP_OPTIONS_ABUSE - _APP_OPTIONS_FORCE_HTTPS - - _APP_OPTIONS_FORCE_HTTPS_FUNCTIONS + - _APP_OPTIONS_FUNCTIONS_FORCE_HTTPS - _APP_OPENSSL_KEY_V1 - _APP_DOMAIN - _APP_DOMAIN_TARGET @@ -383,7 +383,7 @@ services: - _APP_FUNCTIONS_CPUS - _APP_FUNCTIONS_MEMORY - _APP_OPTIONS_FORCE_HTTPS - - _APP_OPTIONS_FORCE_HTTPS_FUNCTIONS + - _APP_OPTIONS_FUNCTIONS_FORCE_HTTPS - _APP_DOMAIN - _APP_STORAGE_DEVICE - _APP_STORAGE_S3_ACCESS_KEY diff --git a/docker-compose.yml b/docker-compose.yml index 345e814cdd..752a23fd38 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -106,7 +106,7 @@ services: - _APP_SYSTEM_RESPONSE_FORMAT - _APP_OPTIONS_ABUSE - _APP_OPTIONS_FORCE_HTTPS - - _APP_OPTIONS_FORCE_HTTPS_FUNCTIONS + - _APP_OPTIONS_FUNCTIONS_FORCE_HTTPS - _APP_OPENSSL_KEY_V1 - _APP_DOMAIN - _APP_DOMAIN_TARGET @@ -418,7 +418,7 @@ services: - _APP_FUNCTIONS_CPUS - _APP_FUNCTIONS_MEMORY - _APP_OPTIONS_FORCE_HTTPS - - _APP_OPTIONS_FORCE_HTTPS_FUNCTIONS + - _APP_OPTIONS_FUNCTIONS_FORCE_HTTPS - _APP_DOMAIN - _APP_STORAGE_DEVICE - _APP_STORAGE_S3_ACCESS_KEY diff --git a/src/Appwrite/Platform/Tasks/Doctor.php b/src/Appwrite/Platform/Tasks/Doctor.php index 89b195c1d7..739a23aaf4 100644 --- a/src/Appwrite/Platform/Tasks/Doctor.php +++ b/src/Appwrite/Platform/Tasks/Doctor.php @@ -93,7 +93,7 @@ class Doctor extends Action Console::log('🟢 HTTPS force option is enabled'); } - if ('enabled' !== App::getEnv('_APP_OPTIONS_FORCE_HTTPS_FUNCTIONS', 'disabled')) { + if ('enabled' !== App::getEnv('_APP_OPTIONS_FUNCTIONS_FORCE_HTTPS', 'disabled')) { Console::log('🔴 HTTPS force option is disabled for function domains'); } else { Console::log('🟢 HTTPS force option is enabled for function domains'); diff --git a/tests/resources/docker/docker-compose.yml b/tests/resources/docker/docker-compose.yml index d9c2a21414..19e63c5313 100644 --- a/tests/resources/docker/docker-compose.yml +++ b/tests/resources/docker/docker-compose.yml @@ -67,7 +67,7 @@ services: - _APP_ENV - _APP_OPTIONS_ABUSE - _APP_OPTIONS_FORCE_HTTPS - - _APP_OPTIONS_FORCE_HTTPS_FUNCTIONS + - _APP_OPTIONS_FUNCTIONS_FORCE_HTTPS - _APP_OPENSSL_KEY_V1 - _APP_DOMAIN - _APP_DOMAIN_FUNCTIONS From 4c18f9f0e713717dae155ec9436873e05d1d6d7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Ba=C4=8Do?= Date: Tue, 19 Sep 2023 09:39:28 +0200 Subject: [PATCH 7/7] Document router protection env var --- app/config/variables.php | 9 +++++++++ app/views/install/compose.phtml | 2 ++ tests/resources/docker/docker-compose.yml | 1 + 3 files changed, 12 insertions(+) diff --git a/app/config/variables.php b/app/config/variables.php index 5d8c0eaa2e..24d48432ca 100644 --- a/app/config/variables.php +++ b/app/config/variables.php @@ -43,6 +43,15 @@ return [ 'question' => '', 'filter' => '' ], + [ + 'name' => '_APP_OPTIONS_ROUTER_PROTECTION', + 'description' => 'Protects server from serving requests from unknown hostnames, and from serving Console for custom project domains. By default, set to \'disabled\'. To start router protection, set to \'enabled\'. It is recommended to enable this variable on production environment.', + 'introduction' => '1.4.4', + 'default' => 'disabled', + 'required' => false, + 'question' => '', + 'filter' => '' + ], [ 'name' => '_APP_OPENSSL_KEY_V1', 'description' => 'This is your server private secret key that is used to encrypt all sensitive data on your server. Appwrite server encrypts all secret data on your server like webhooks, HTTP passwords, user sessions, and storage files. The var is not set by default, if you wish to take advantage of Appwrite encryption capabilities you should change it and make sure to **keep it a secret and have a backup for it**.', diff --git a/app/views/install/compose.phtml b/app/views/install/compose.phtml index d59f97b9da..09afc9d96d 100644 --- a/app/views/install/compose.phtml +++ b/app/views/install/compose.phtml @@ -84,6 +84,7 @@ services: - _APP_SYSTEM_SECURITY_EMAIL_ADDRESS - _APP_SYSTEM_RESPONSE_FORMAT - _APP_OPTIONS_ABUSE + - _APP_OPTIONS_ROUTER_PROTECTION - _APP_OPTIONS_FORCE_HTTPS - _APP_OPENSSL_KEY_V1 - _APP_DOMAIN @@ -196,6 +197,7 @@ services: - _APP_ENV - _APP_WORKER_PER_CORE - _APP_OPTIONS_ABUSE + - _APP_OPTIONS_ROUTER_PROTECTION - _APP_OPENSSL_KEY_V1 - _APP_REDIS_HOST - _APP_REDIS_PORT diff --git a/tests/resources/docker/docker-compose.yml b/tests/resources/docker/docker-compose.yml index 3baae7316d..76eae3ab54 100644 --- a/tests/resources/docker/docker-compose.yml +++ b/tests/resources/docker/docker-compose.yml @@ -66,6 +66,7 @@ services: environment: - _APP_ENV - _APP_OPTIONS_ABUSE + - _APP_OPTIONS_ROUTER_PROTECTION - _APP_OPTIONS_FORCE_HTTPS - _APP_OPENSSL_KEY_V1 - _APP_DOMAIN