Restore the "alternate file domain" setup warning and provide CDN instructions

Summary: Fixes T2380. Fixes T2382. Users should really configure this, but when we had a warning before a lot of users had trouble with it. - Tout performance benefits. - Document easy setup via CDN. - We have an "Ignore" button now for users who really don't care. Test Plan: - Set up `admin.phacility.com` through AWS CloudFront (need a few changes to handle instances to put it on the cluster in general). - Set up `secure.phabricator.com` through CloudFlare (almost; waiting for DNS). Reviewers: btrahan Reviewed By: btrahan Subscribers: chad, epriestley Maniphest Tasks: T2382, T2380 Differential Revision: https://secure.phabricator.com/D11649
2025-01-19 19:21:10 +01:00 · 2015-02-03 11:51:41 -08:00 · 2015-02-03 11:51:41 -08:00 · f96b258302
commit f96b258302
parent 9b65370398
4 changed files with 148 additions and 19 deletions
--- a/src/applications/config/check/PhabricatorSecuritySetupCheck.php
+++ b/src/applications/config/check/PhabricatorSecuritySetupCheck.php
@ -45,5 +45,30 @@ final class PhabricatorSecuritySetupCheck extends PhabricatorSetupCheck {
        ->setMessage($message);
    }

+    $file_key = 'security.alternate-file-domain';
+    $file_domain = PhabricatorEnv::getEnvConfig($file_key);
+    if (!$file_domain) {
+      $doc_href = PhabricatorEnv::getDocLink('Configuring a File Domain');
+
+      $this->newIssue('security.'.$file_key)
+        ->setName(pht('Alternate File Domain Not Configured'))
+        ->setSummary(
+          pht(
+            'Increase security (and improve performance) by configuring '.
+            'a CDN or alternate file domain.'))
+        ->setMessage(
+          pht(
+            'Phabricator is currently configured to serve user uploads '.
+            'directly from the same domain as other content. This is a '.
+            'security risk.'.
+            "\n\n".
+            'Configure a CDN (or alternate file domain) to eliminate this '.
+            'risk. Using a CDN will also improve performance. See the '.
+            'guide below for instructions.'))
+        ->addPhabricatorConfig($file_key)
+        ->addLink(
+          $doc_href,
+          pht('Configuration Guide: Configuring a File Domain'));
+    }
  }
 }
--- a/src/applications/config/option/PhabricatorSecurityConfigOptions.php
+++ b/src/applications/config/option/PhabricatorSecurityConfigOptions.php
@ -18,31 +18,25 @@ final class PhabricatorSecurityConfigOptions
  public function getOptions() {
    $support_href = PhabricatorEnv::getDoclink('Give Feedback! Get Support!');

+    $doc_href = PhabricatorEnv::getDoclink('Configuring a File Domain');
+    $doc_name = pht('Configuration Guide: Configuring a File Domain');
+
    return array(
      $this->newOption('security.alternate-file-domain', 'string', null)
        ->setLocked(true)
        ->setSummary(pht('Alternate domain to serve files from.'))
        ->setDescription(
          pht(
-            "IMPORTANT: By default, Phabricator serves files from the same ".
-            "domain the application lives on. This is convenient but not ".
-            "secure: it creates a large class of vulnerabilities which can ".
-            "not be generally mitigated.\n\n".
-
-            "To avoid this, you should configure a second domain in the same ".
-            "way you have the primary domain configured (i.e., point it at ".
-            "the same machine and set up the same vhost rules) and provide ".
-            "it here. For instance, if your primary install is on ".
-            "'http://www.phabricator-example.com/', you could configure ".
-            "'http://www.phabricator-files.com/' and specify the entire ".
-            "domain (with protocol) here. This will enforce that files are ".
-            "served only from the alternate domain. Ideally, you should use ".
-            "a completely separate domain name rather than just a different ".
-            "subdomain.\n\n".
-
-            "It is **STRONGLY RECOMMENDED** that you configure this. Your ".
-            "install is **NOT SECURE** unless you do so."))
-        ->addExample('http://www.phabricator-files.com/', pht('Valid Setting')),
+            'By default, Phabricator serves files from the same domain '.
+            'the application is served from. This is convenient, but '.
+            'presents a security risk.'.
+            "\n\n".
+            'You should configure a CDN or alternate file domain to mitigate '.
+            'this risk. Configuring a CDN will also improve performance. See '.
+            '[[ %s | %s ]] for instructions.',
+            $doc_href,
+            $doc_name))
+        ->addExample('https://files.phabcdn.net/', pht('Valid Setting')),
      $this->newOption(
        'security.hmac-key',
        'string',
--- a/src/docs/user/configuration/configuration_guide.diviner
+++ b/src/docs/user/configuration/configuration_guide.diviner
@ -193,6 +193,8 @@ Continue by:
    @{article:Configuring Accounts and Registration}; or
  - understanding advanced configuration topics with
    @{article:Configuration User Guide: Advanced Configuration}; or
+  - configuring an alternate file domain with
+    @{article:Configuring a File Domain}; or
  - configuring a preamble script to set up the environment properly behind a
    load balancer, or adjust rate limiting with
    @{article:Configuring a Preamble Script}; or
--- a/src/docs/user/configuration/configuring_file_domain.diviner
+++ b/src/docs/user/configuration/configuring_file_domain.diviner
@ -0,0 +1,108 @@
+@title Configuring a File Domain
+@group config
+
+Setup guide for an alternate file domain or CDN.
+
+Overview
+========
+
+Serving files that users upload from the same domain that Phabricator runs on
+is a security risk.
+
+In general, doing this creates a risk that users who have permission to upload
+files may be able to upload specially crafted files (like Flash or Java
+applets) which can execute with domain permissions in some contexts (usually
+because of security issues with Flash and Java, but both products have a rich
+history of security issues). The attacker can then trick another user into
+executing the file and gain access to their session.
+
+The best way to mitigate this threat is to serve files from a separate domain.
+For example, if Phabricator is hosted at `https://phabricator.example.com/`,
+you can serve files from `https://files.exampleusercontent.com/`.
+
+The alternate file domain should be a completely different domain from your
+primary domain, not just a different subdomain. For example, Google uses
+`googleusercontent.com`, //not// `usercontent.google.com`.
+
+You can also configure the alternate file domain to serve through a CDN, which
+will improve performance.
+
+Approaches
+=========
+
+Broadly, you can either choose a CDN service and configure that (which will
+also defuse the security risks) or you can configure a second domain with the
+same settings as your first domain. A CDN service may be easier to set up and
+can improve performance.
+
+| Method | Setup Difficulty | Cost | Notes |
+|---|---|---|---|
+| AWS CloudFront | Very Easy | Cheap | Recommended |
+| CloudFlare | Easy | Free/Cheap | Recommended |
+| Self Hosted | Moderate | Free | No CDN unless you're an ops wizard. |
+
+Approach: AWS CloudFront
+========
+
+CloudFront is a CDN service that's part of Amazon Web Services. It makes
+particular sense to use if you're hosting your install in AWS.
+
+To configure it, set up a new CloudFront distribution which is pointed at
+your Phabricator install as an origin (make sure you point it at the primary
+domain name of your install, not just a load balancer or instance). You do not
+need to set up a new domain name, which makes setup a bit more straightforward.
+
+Once configured, accessing the distribution's domain name should return a
+Phabricator error page indicating that Phabricator does not recognize the
+domain. If you see this page, it means you've configured things correctly.
+
+Continue to "Configuring Phabricator", below.
+
+Approach: CloudFlare
+========
+
+[[ https://cloudflare.net | CloudFlare ]] is a general-purpose CDN service.
+
+To set up CloudFlare, you'll need to register a second domain and go through
+their enrollment process to host the alternate domain on their servers. Use a
+CNAME record to forward a subdomain to your Phabricator install.
+
+CloudFlare will automatically generate SSL certificates for hosted domains,
+which can significantly reduce the cost and complexity of setup.
+
+Once configured, accessing the CNAME-forwarded subdomain should return a
+Phabricator error page indicating that Phabricator does not recognize the
+domain. If you see this page, it means you've configured things correctly.
+
+Continue to "Configuring Phabricator", below.
+
+Approach: Self Hosted
+========
+
+To do this, just set up a second domain exactly like your primary domain is
+set up. When setup is complete, visiting the domain should return a Phabricator
+error page indicating that Phabricator does not recognize the domain. This
+means that you've configured things correctly.
+
+Note that if you use SSL (which you should), you'll also need to get a
+certificate for this alternate domain and configure that, too.
+
+You can also configure a self-hosted domain to route through a caching server
+to provide some of the performance benefits of a CDN, but this is advanced and
+outside the scope of this documentation.
+
+Continue to "Configuring Phabricator", below.
+
+Configuring Phabricator
+========
+
+After you've set up a CDN or an alternate domain, configure Phabricator to
+recognize the domain. Run this command, providing the domain you have
+configured in place of the `<domain>` token. You should include the protocol,
+so an example domain might be `https://cdn.phabcdn.net/`.
+
+  phabricator/ $ ./bin/config set security.alternate-file-domain <domain>
+
+Phabricator should now serve CSS, JS, images, profile pictures, and user
+content through the file domain. You can verify this with "View Source" or
+by downloading a file and checking the URL.