Skip to content

securing apache/dolibarr installation by letting apache deny access #55

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
JonBendtsen wants to merge 4 commits into
base: main
Choose a base branch
from
Open

securing apache/dolibarr installation by letting apache deny access #55

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
259a699
securing apache/dolibarr installation by letting apache deny access t…
Mar 22, 2025
d4436e3
remove changes from another branch
Mar 22, 2025
8ac1a54
denying a few more files
Mar 22, 2025
dc43477
insert newline in a deny file to keep it consistent
Mar 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions Dockerfile.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,9 @@ RUN apt-get update -y \
&& mv ${PHP_INI_DIR}/php.ini-production ${PHP_INI_DIR}/php.ini \
&& rm -rf /var/lib/apt/lists/*

COPY apache-deny.conf /etc/apache2/conf-enabled/deny.conf
RUN apache2ctl configtest

# Get Dolibarr
RUN curl -fLSs https://github.com/Dolibarr/dolibarr/archive/${DOLI_VERSION}.tar.gz |\
tar -C /tmp -xz && \
Expand Down
65 changes: 65 additions & 0 deletions apache-conf-enabled/deny-certificates.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
# Denying different certificate files
<FilesMatch "/\.cer">
Require all denied
</FilesMatch>

<FilesMatch "/\.crt">
Require all denied
</FilesMatch>

<FilesMatch "/\.cert">
Require all denied
</FilesMatch>

<FilesMatch "/\.pem">
Require all denied
</FilesMatch>

<FilesMatch "/\.der">
Require all denied
</FilesMatch>

<FilesMatch "/\.key">
Require all denied
</FilesMatch>

<FilesMatch "/\.keystore">
Require all denied
</FilesMatch>

<FilesMatch "/\.jks">
Require all denied
</FilesMatch>

<FilesMatch "/\.p12">
Require all denied
</FilesMatch>

<FilesMatch "/\.pcks">
Require all denied
</FilesMatch>

<FilesMatch "/\.ca-bundle">
Require all denied
</FilesMatch>

<FilesMatch "/\.p7b">
Require all denied
</FilesMatch>

<FilesMatch "/\.p7c">
Require all denied
</FilesMatch>

<FilesMatch "/\.p7s">
Require all denied
</FilesMatch>

<FilesMatch "/\.pfx">
Require all denied
</FilesMatch>

<FilesMatch "/\.p8">
Require all denied
</FilesMatch>

25 changes: 25 additions & 0 deletions apache-conf-enabled/deny-compressed-files.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Deny various compression files
<FilesMatch "/\.gz">
Require all denied
</FilesMatch>

<FilesMatch "/\.tgz">
Require all denied
</FilesMatch>

<FilesMatch "/\.tar">
Require all denied
</FilesMatch>

<FilesMatch "/\.zip">
Require all denied
</FilesMatch>

<FilesMatch "/\.bz2">
Require all denied
</FilesMatch>

<FilesMatch "/\.rar">
Require all denied
</FilesMatch>

9 changes: 9 additions & 0 deletions apache-conf-enabled/deny-csv.conf
View file
Open in desktop
Copy link
Contributor

@cibero42 cibero42 Mar 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Denying MS Office, Libre Office, or even CSV might be a bad idea, as most companies rely on those types of documents

Copy link
Contributor Author

@JonBendtsen JonBendtsen Mar 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cibero42

yes, but I do no think these files are served directly through Apache as static files, I think they are served as files through PHP - because else you can not have Dolibarr access control to these files.

How do we figure out? Well, we test it, and we test it all the places that we download files in Dolibarr.

Examples

EXPORT  /document.php?modulepart=export&file=export_adherent_1.csv&entity=1
DOCUMENTS    /document.php?modulepart=ecm&attachment=1&file=Manuals%2Finvitational_brutto_liste.ods
ORDER PDF      /document.php?hashp=********************

Claim all files in Dolibarr are downloaded through document.php not through apache, and thus we can easily without issues ban any other file than .php and .html files

Copy link
Contributor

@cibero42 cibero42 Mar 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey Jon,

Thanks for the explanation! If that's the case, it's better to include other MS Office and LibreOffice formats, no?

If you prefer, I can try to find a comprehensive list for you and post here...

Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# Denying Spreadsheet files
<FilesMatch "/\.csv">
Require all denied
</FilesMatch>

<FilesMatch "/\.xls">
Require all denied
</FilesMatch>

5 changes: 5 additions & 0 deletions apache-conf-enabled/deny-doc.conf
View file
Open in desktop
Copy link
Contributor

@cibero42 cibero42 Mar 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Denying MS Office, Libre Office, or even CSV might be a bad idea, as most companies rely on those types of documents

Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Denying word files
<FilesMatch "/\.doc">
Require all denied
</FilesMatch>

9 changes: 9 additions & 0 deletions apache-conf-enabled/deny-dolibarr-conf.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# Deny dolibarr configuration file
<DirectoryMatch "/conf/">
Require all denied
</DirectoryMatch>

<FilesMatch "/conf\.php">
Require all denied
</FilesMatch>

9 changes: 9 additions & 0 deletions apache-conf-enabled/deny-dolibarr-langs.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# Deny Dolibarr language files
<DirectoryMatch "/langs/">
Require all denied
</DirectoryMatch>

<FilesMatch "/\.lang">
Require all denied
</FilesMatch>

5 changes: 5 additions & 0 deletions apache-conf-enabled/deny-dotfiles.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Denying . files
<FilesMatch "/^\.">
Require all denied
</FilesMatch>

9 changes: 9 additions & 0 deletions apache-conf-enabled/deny-git.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# Deny git repositories and files
<DirectoryMatch "/\.git">
Require all denied
</DirectoryMatch>

<FilesMatch "/^\.git">
Require all denied
</FilesMatch>

5 changes: 5 additions & 0 deletions apache-conf-enabled/deny-json.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Deny JSON files
<FilesMatch "/\.json">
Require all denied
</FilesMatch>

5 changes: 5 additions & 0 deletions apache-conf-enabled/deny-sql.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Denying Database files
<FilesMatch "/\.sql">
Require all denied
</FilesMatch>

5 changes: 5 additions & 0 deletions apache-conf-enabled/deny-svn.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Denying subversion because it was mentioned in the security.conf file that came with the container image
<DirectoryMatch "/\.svn">
Require all denied
</DirectoryMatch>

5 changes: 5 additions & 0 deletions apache-conf-enabled/deny-xml.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Denying XML files
<FilesMatch "/\.xml">
Require all denied
</FilesMatch>

5 changes: 5 additions & 0 deletions apache-conf-enabled/deny-yml.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Denying Yaml files
<FilesMatch "/\.yml">
Require all denied
</FilesMatch>

3 changes: 3 additions & 0 deletions images/15.0.3-php7.4/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,9 @@ RUN apt-get update -y \
&& mv ${PHP_INI_DIR}/php.ini-production ${PHP_INI_DIR}/php.ini \
&& rm -rf /var/lib/apt/lists/*

COPY apache-deny.conf /etc/apache2/conf-enabled/deny.conf
RUN apache2ctl configtest

# Get Dolibarr
RUN curl -fLSs https://github.com/Dolibarr/dolibarr/archive/${DOLI_VERSION}.tar.gz |\
tar -C /tmp -xz && \
Expand Down
161 changes: 161 additions & 0 deletions images/15.0.3-php7.4/apache-deny.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,161 @@
# Denying different certificate files
<FilesMatch "/\.cer">
Require all denied
</FilesMatch>

<FilesMatch "/\.crt">
Require all denied
</FilesMatch>

<FilesMatch "/\.cert">
Require all denied
</FilesMatch>

<FilesMatch "/\.pem">
Require all denied
</FilesMatch>

<FilesMatch "/\.der">
Require all denied
</FilesMatch>

<FilesMatch "/\.key">
Require all denied
</FilesMatch>

<FilesMatch "/\.keystore">
Require all denied
</FilesMatch>

<FilesMatch "/\.jks">
Require all denied
</FilesMatch>

<FilesMatch "/\.p12">
Require all denied
</FilesMatch>

<FilesMatch "/\.pcks">
Require all denied
</FilesMatch>

<FilesMatch "/\.ca-bundle">
Require all denied
</FilesMatch>

<FilesMatch "/\.p7b">
Require all denied
</FilesMatch>

<FilesMatch "/\.p7c">
Require all denied
</FilesMatch>

<FilesMatch "/\.p7s">
Require all denied
</FilesMatch>

<FilesMatch "/\.pfx">
Require all denied
</FilesMatch>

<FilesMatch "/\.p8">
Require all denied
</FilesMatch>

# Deny various compression files
<FilesMatch "/\.gz">
Require all denied
</FilesMatch>

<FilesMatch "/\.tgz">
Require all denied
</FilesMatch>

<FilesMatch "/\.tar">
Require all denied
</FilesMatch>

<FilesMatch "/\.zip">
Require all denied
</FilesMatch>

<FilesMatch "/\.bz2">
Require all denied
</FilesMatch>

<FilesMatch "/\.rar">
Require all denied
</FilesMatch>

# Denying Spreadsheet files
<FilesMatch "/\.csv">
Require all denied
</FilesMatch>

<FilesMatch "/\.xls">
Require all denied
</FilesMatch>

# Denying word files
<FilesMatch "/\.doc">
Require all denied
</FilesMatch>

# Deny dolibarr configuration file
<DirectoryMatch "/conf/">
Require all denied
</DirectoryMatch>

<FilesMatch "/conf\.php">
Require all denied
</FilesMatch>

# Deny Dolibarr language files
<DirectoryMatch "/langs/">
Require all denied
</DirectoryMatch>

<FilesMatch "/\.lang">
Require all denied
</FilesMatch>

# Denying . files
<FilesMatch "/^\.">
Require all denied
</FilesMatch>

# Deny git repositories and files
<DirectoryMatch "/\.git">
Require all denied
</DirectoryMatch>

<FilesMatch "/^\.git">
Require all denied
</FilesMatch>

# Deny JSON files
<FilesMatch "/\.json">
Require all denied
</FilesMatch>

# Denying Database files
<FilesMatch "/\.sql">
Require all denied
</FilesMatch>

# Denying subversion because it was mentioned in the security.conf file that came with the container image
<DirectoryMatch "/\.svn">
Require all denied
</DirectoryMatch>

# Denying XML files
<FilesMatch "/\.xml">
Require all denied
</FilesMatch>

# Denying Yaml files
<FilesMatch "/\.yml">
Require all denied
</FilesMatch>

3 changes: 3 additions & 0 deletions images/16.0.5-php8.1/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,9 @@ RUN apt-get update -y \
&& mv ${PHP_INI_DIR}/php.ini-production ${PHP_INI_DIR}/php.ini \
&& rm -rf /var/lib/apt/lists/*

COPY apache-deny.conf /etc/apache2/conf-enabled/deny.conf
RUN apache2ctl configtest

# Get Dolibarr
RUN curl -fLSs https://github.com/Dolibarr/dolibarr/archive/${DOLI_VERSION}.tar.gz |\
tar -C /tmp -xz && \
Expand Down
Loading