Commit 23281f75 authored by omega8cc's avatar omega8cc

Nginx: Use cloaked database credentials.

parent 7a86f476
......@@ -20,8 +20,8 @@ print '<?php' ?>
<?php if ($this->cloaked): ?>
if (isset($_SERVER['db_name'])) {
/**
* The database credentials are stored in the Apache vhost config
* of the associated site with SetEnv parameters.
* The database credentials are stored in the Apache or Nginx vhost config
* of the associated site with SetEnv (fastcgi_param in Nginx) parameters.
* They are called here with $_SERVER environment variables to
* prevent sensitive data from leaking to site administrators
* with PHP access, that potentially might be of other sites in
......
......@@ -23,6 +23,12 @@ server {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
fastcgi_param db_type <?php print urlencode($db_type); ?>;
fastcgi_param db_name <?php print urlencode($db_name); ?>;
fastcgi_param db_user <?php print urlencode($db_user); ?>;
fastcgi_param db_passwd <?php print urlencode($db_passwd); ?>;
fastcgi_param db_host <?php print urlencode($db_host); ?>;
fastcgi_param db_port <?php print urlencode($db_port); ?>;
limit_conn gulag 32; # like mod_evasive - this allows max 32 simultaneous connections from one IP address
listen <?php print "{$ip_address}:{$http_ssl_port}"; ?>;
server_name <?php print $this->uri; ?><?php if (!$this->redirection && is_array($this->aliases)) : foreach ($this->aliases as $alias_url) : if (trim($alias_url)) : ?> <?php print $alias_url; ?><?php endif; endforeach; endif; ?>;
......
......@@ -24,6 +24,12 @@ if ($ssl_redirection || $this->redirection) {
server {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param db_type <?php print urlencode($db_type); ?>;
fastcgi_param db_name <?php print urlencode($db_name); ?>;
fastcgi_param db_user <?php print urlencode($db_user); ?>;
fastcgi_param db_passwd <?php print urlencode($db_passwd); ?>;
fastcgi_param db_host <?php print urlencode($db_host); ?>;
fastcgi_param db_port <?php print urlencode($db_port); ?>;
limit_conn gulag 32; # like mod_evasive - this allows max 32 simultaneous connections from one IP address
listen *:<?php print $http_port; ?>;
server_name <?php
......
......@@ -8,6 +8,10 @@ class Provision_Service_http_nginx extends Provision_Service_http_public {
return Provision_Service_http_nginx::nginx_restart_cmd();
}
function cloaked_db_creds() {
return TRUE;
}
function init_server() {
parent::init_server();
$this->configs['server'][] = 'Provision_Config_Nginx_Server';
......@@ -16,7 +20,7 @@ class Provision_Service_http_nginx extends Provision_Service_http_public {
$this->server->setProperty('nginx_config_mode', 'extended');
$this->server->setProperty('nginx_is_modern', FALSE);
$this->server->setProperty('nginx_has_gzip', FALSE);
$this->server->setProperty('provision_db_cloaking', FALSE);
$this->server->setProperty('provision_db_cloaking', TRUE);
}
function save_server() {
......
......@@ -21,6 +21,10 @@ class Provision_Service_http_nginx_ssl extends Provision_Service_http_ssl {
public $ssl_enabled = TRUE;
function cloaked_db_creds() {
return TRUE;
}
/**
* Initialize the configuration files.
*
......@@ -35,7 +39,7 @@ class Provision_Service_http_nginx_ssl extends Provision_Service_http_ssl {
$this->server->setProperty('nginx_config_mode', 'extended');
$this->server->setProperty('nginx_is_modern', FALSE);
$this->server->setProperty('nginx_has_gzip', FALSE);
$this->server->setProperty('provision_db_cloaking', FALSE);
$this->server->setProperty('provision_db_cloaking', TRUE);
}
function save_server() {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment