aboutsummaryrefslogtreecommitdiffstats
path: root/phpBB/docs/INSTALL.html
diff options
context:
space:
mode:
authorMarc Alexander <admin@m-a-styles.de>2016-11-13 12:29:28 +0100
committerMarc Alexander <admin@m-a-styles.de>2016-11-13 12:29:28 +0100
commita2953cb10c6f9318868b8727dd9e86cf419ff66c (patch)
tree626a57321d8f3cb91fe90045746bf336fb49a24a /phpBB/docs/INSTALL.html
parent9c7e8c2dc5607a594f1e8d3a633dc686e8c002a7 (diff)
parent44dd1ef9842c83f7ba4a37bf4a17489d5fe73991 (diff)
downloadforums-a2953cb10c6f9318868b8727dd9e86cf419ff66c.tar
forums-a2953cb10c6f9318868b8727dd9e86cf419ff66c.tar.gz
forums-a2953cb10c6f9318868b8727dd9e86cf419ff66c.tar.bz2
forums-a2953cb10c6f9318868b8727dd9e86cf419ff66c.tar.xz
forums-a2953cb10c6f9318868b8727dd9e86cf419ff66c.zip
Merge branch 'ticket/security-181' into ticket/security-181-rhea
Diffstat (limited to 'phpBB/docs/INSTALL.html')
-rw-r--r--phpBB/docs/INSTALL.html16
1 files changed, 14 insertions, 2 deletions
diff --git a/phpBB/docs/INSTALL.html b/phpBB/docs/INSTALL.html
index 4837ad35e2..1468cf3f02 100644
--- a/phpBB/docs/INSTALL.html
+++ b/phpBB/docs/INSTALL.html
@@ -457,9 +457,21 @@
<a name="webserver_configuration"></a><h3>6.ii. Webserver configuration</h3>
- <p>Depending on your web server, you may have to configure your server to deny web access to the <code>cache/</code>, <code>files/</code>, <code>store/</code> and other directories. This is to prevent users from accessing sensitive files.</p>
+ <p>Depending on your web server, you may have to configure your server to deny web access to the <code>cache/</code>, <code>files/</code>, <code>includes</code>, <code>phpbb</code>, <code>store/</code>, and <code>vendor</code> directories. This is to prevent users from accessing sensitive files.</p>
- <p>For <strong>Apache</strong> there are <code>.htaccess</code> files already in place to do this for you. Similarly, for <strong>Windows</strong> based servers using <strong>IIS</strong> there are <code>web.config</code> files already in place to do this for you. For other webservers, you will have to adjust the configuration yourself. Sample files for <strong>nginx</strong> and <strong>lighttpd</strong> to help you get started may be found in <code>docs/</code> directory.</p>
+ <p>
+ For <strong>Apache</strong> there are <code>.htaccess</code> files already in place to do this for the most sensitive files and folders. We do however recommend to completely deny all access to the aforementioned folders and their respective subfolders in your Apache configuration.<br />
+ On Apache 2.4, denying access to the <code>phpbb</code> folder in a phpBB instance located at <code>/var/www/html/</code> would work like this:
+ <pre>
+&lt;Directory /var/www/html/phpbb/*&gt;
+ Require all denied
+&lt;/Directory&gt;
+&lt;Directory /var/www/html/phpbb>
+ Require all denied
+&lt;/Directory&gt;</pre>
+ <br />
+ <p>The same settings can be applied to the other mentioned directories by replacing <code>phpbb</code> by the respective directory name. Please pay attention to the difference in syntax between Apache version <a href="https://httpd.apache.org/docs/2.2/howto/access.html">2.2</a> and <a href="https://httpd.apache.org/docs/2.4/howto/access.html">2.4</a>.</p>
+ <p>For <strong>Windows</strong> based servers using <strong>IIS</strong> there are <code>web.config</code> files already in place to do this for you. For other webservers, you will have to adjust the configuration yourself. Sample files for <strong>nginx</strong> and <strong>lighttpd</strong> to help you get started may be found in <code>docs/</code> directory.</p>
</div>