In this release we have changed our NGINX configuration to handle urls that contain /app/ more strictly. Previously all URLS that started with /app/ would be automatically blocked (403), but now any URL that contains /app/ will be automatically blocked as well. This will make it less easy to accidentally expose Magento configuration files that shouldn’t be openly accessible if you have a shop or a storefront in a sub-directory.

Old NGINX rules:

location ^~ /app/                       { return 403; }
location ^~ /var/                       { return 403; }

New NGINX rules:

location ~ /app/                        { return 403; }
location ~ /var/cache/                  { return 403; }
location ~ /var/resource_config.json    { return 403; }
location ^~ /var/                       { return 403; }

 

For details, see the /etc/nginx/security.conf file on your Hypernode.

Note that if you have any previously existing NGINX rules in the user configurable /data/web/nginx directory that clash with this new configuration, the nginx config reloader will create an nginx_error_output file to inform you of any validation failures the next time you edit a config.

In other news, we have enabled the PHP Bzip2 extension for creating and parsing bzip2 compressed data in the PHP 7.0 and 7.1 installation. This extension was already enabled for PHP 5.6 on Hypernode, but it will now also be available for the other versions as well. This module is not required for Magento, but some peripheral applications like pimcore depend on it.

These changes will be deployed on all Hypernodes over the course of this week.

Update Jun 8 15:56:28 CEST 2018:

Because we were seeing some false-positives being blocked by this new rule we have made it a bit less restrictive. It will now only block /app/ on the first subdirectory level, not all. That should cover the most common use cases without being overly restrictive. If you do want to block /app/ paths on deeper levels it is possible to configure that in the NGINX config yourself.

-    location ~ /app/                        { return 403; }
+    location ^~ /app/                       { return 403; }
+    location ~ ^/(.*)/app/                  { return 403; }