1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-01-19 11:11:10 +01:00

Restore the "alternate file domain" setup warning and provide CDN instructions

Summary:
Fixes T2380. Fixes T2382. Users should really configure this, but when we had a warning before a lot of users had trouble with it.

  - Tout performance benefits.
  - Document easy setup via CDN.
  - We have an "Ignore" button now for users who really don't care.

Test Plan:
  - Set up `admin.phacility.com` through AWS CloudFront (need a few changes to handle instances to put it on the cluster in general).
  - Set up `secure.phabricator.com` through CloudFlare (almost; waiting for DNS).

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: chad, epriestley

Maniphest Tasks: T2382, T2380

Differential Revision: https://secure.phabricator.com/D11649
This commit is contained in:
epriestley 2015-02-03 11:51:41 -08:00
parent 9b65370398
commit f96b258302
4 changed files with 148 additions and 19 deletions

View file

@ -45,5 +45,30 @@ final class PhabricatorSecuritySetupCheck extends PhabricatorSetupCheck {
->setMessage($message);
}
$file_key = 'security.alternate-file-domain';
$file_domain = PhabricatorEnv::getEnvConfig($file_key);
if (!$file_domain) {
$doc_href = PhabricatorEnv::getDocLink('Configuring a File Domain');
$this->newIssue('security.'.$file_key)
->setName(pht('Alternate File Domain Not Configured'))
->setSummary(
pht(
'Increase security (and improve performance) by configuring '.
'a CDN or alternate file domain.'))
->setMessage(
pht(
'Phabricator is currently configured to serve user uploads '.
'directly from the same domain as other content. This is a '.
'security risk.'.
"\n\n".
'Configure a CDN (or alternate file domain) to eliminate this '.
'risk. Using a CDN will also improve performance. See the '.
'guide below for instructions.'))
->addPhabricatorConfig($file_key)
->addLink(
$doc_href,
pht('Configuration Guide: Configuring a File Domain'));
}
}
}

View file

@ -18,31 +18,25 @@ final class PhabricatorSecurityConfigOptions
public function getOptions() {
$support_href = PhabricatorEnv::getDoclink('Give Feedback! Get Support!');
$doc_href = PhabricatorEnv::getDoclink('Configuring a File Domain');
$doc_name = pht('Configuration Guide: Configuring a File Domain');
return array(
$this->newOption('security.alternate-file-domain', 'string', null)
->setLocked(true)
->setSummary(pht('Alternate domain to serve files from.'))
->setDescription(
pht(
"IMPORTANT: By default, Phabricator serves files from the same ".
"domain the application lives on. This is convenient but not ".
"secure: it creates a large class of vulnerabilities which can ".
"not be generally mitigated.\n\n".
"To avoid this, you should configure a second domain in the same ".
"way you have the primary domain configured (i.e., point it at ".
"the same machine and set up the same vhost rules) and provide ".
"it here. For instance, if your primary install is on ".
"'http://www.phabricator-example.com/', you could configure ".
"'http://www.phabricator-files.com/' and specify the entire ".
"domain (with protocol) here. This will enforce that files are ".
"served only from the alternate domain. Ideally, you should use ".
"a completely separate domain name rather than just a different ".
"subdomain.\n\n".
"It is **STRONGLY RECOMMENDED** that you configure this. Your ".
"install is **NOT SECURE** unless you do so."))
->addExample('http://www.phabricator-files.com/', pht('Valid Setting')),
'By default, Phabricator serves files from the same domain '.
'the application is served from. This is convenient, but '.
'presents a security risk.'.
"\n\n".
'You should configure a CDN or alternate file domain to mitigate '.
'this risk. Configuring a CDN will also improve performance. See '.
'[[ %s | %s ]] for instructions.',
$doc_href,
$doc_name))
->addExample('https://files.phabcdn.net/', pht('Valid Setting')),
$this->newOption(
'security.hmac-key',
'string',

View file

@ -193,6 +193,8 @@ Continue by:
@{article:Configuring Accounts and Registration}; or
- understanding advanced configuration topics with
@{article:Configuration User Guide: Advanced Configuration}; or
- configuring an alternate file domain with
@{article:Configuring a File Domain}; or
- configuring a preamble script to set up the environment properly behind a
load balancer, or adjust rate limiting with
@{article:Configuring a Preamble Script}; or

View file

@ -0,0 +1,108 @@
@title Configuring a File Domain
@group config
Setup guide for an alternate file domain or CDN.
Overview
========
Serving files that users upload from the same domain that Phabricator runs on
is a security risk.
In general, doing this creates a risk that users who have permission to upload
files may be able to upload specially crafted files (like Flash or Java
applets) which can execute with domain permissions in some contexts (usually
because of security issues with Flash and Java, but both products have a rich
history of security issues). The attacker can then trick another user into
executing the file and gain access to their session.
The best way to mitigate this threat is to serve files from a separate domain.
For example, if Phabricator is hosted at `https://phabricator.example.com/`,
you can serve files from `https://files.exampleusercontent.com/`.
The alternate file domain should be a completely different domain from your
primary domain, not just a different subdomain. For example, Google uses
`googleusercontent.com`, //not// `usercontent.google.com`.
You can also configure the alternate file domain to serve through a CDN, which
will improve performance.
Approaches
=========
Broadly, you can either choose a CDN service and configure that (which will
also defuse the security risks) or you can configure a second domain with the
same settings as your first domain. A CDN service may be easier to set up and
can improve performance.
| Method | Setup Difficulty | Cost | Notes |
|---|---|---|---|
| AWS CloudFront | Very Easy | Cheap | Recommended |
| CloudFlare | Easy | Free/Cheap | Recommended |
| Self Hosted | Moderate | Free | No CDN unless you're an ops wizard. |
Approach: AWS CloudFront
========
CloudFront is a CDN service that's part of Amazon Web Services. It makes
particular sense to use if you're hosting your install in AWS.
To configure it, set up a new CloudFront distribution which is pointed at
your Phabricator install as an origin (make sure you point it at the primary
domain name of your install, not just a load balancer or instance). You do not
need to set up a new domain name, which makes setup a bit more straightforward.
Once configured, accessing the distribution's domain name should return a
Phabricator error page indicating that Phabricator does not recognize the
domain. If you see this page, it means you've configured things correctly.
Continue to "Configuring Phabricator", below.
Approach: CloudFlare
========
[[ https://cloudflare.net | CloudFlare ]] is a general-purpose CDN service.
To set up CloudFlare, you'll need to register a second domain and go through
their enrollment process to host the alternate domain on their servers. Use a
CNAME record to forward a subdomain to your Phabricator install.
CloudFlare will automatically generate SSL certificates for hosted domains,
which can significantly reduce the cost and complexity of setup.
Once configured, accessing the CNAME-forwarded subdomain should return a
Phabricator error page indicating that Phabricator does not recognize the
domain. If you see this page, it means you've configured things correctly.
Continue to "Configuring Phabricator", below.
Approach: Self Hosted
========
To do this, just set up a second domain exactly like your primary domain is
set up. When setup is complete, visiting the domain should return a Phabricator
error page indicating that Phabricator does not recognize the domain. This
means that you've configured things correctly.
Note that if you use SSL (which you should), you'll also need to get a
certificate for this alternate domain and configure that, too.
You can also configure a self-hosted domain to route through a caching server
to provide some of the performance benefits of a CDN, but this is advanced and
outside the scope of this documentation.
Continue to "Configuring Phabricator", below.
Configuring Phabricator
========
After you've set up a CDN or an alternate domain, configure Phabricator to
recognize the domain. Run this command, providing the domain you have
configured in place of the `<domain>` token. You should include the protocol,
so an example domain might be `https://cdn.phabcdn.net/`.
phabricator/ $ ./bin/config set security.alternate-file-domain <domain>
Phabricator should now serve CSS, JS, images, profile pictures, and user
content through the file domain. You can verify this with "View Source" or
by downloading a file and checking the URL.