NGINX / Apache2 Hybrid Server - RewriteRule ^content/(.*) index.php [L] Not working

mactedder · November 29, 2023, 10:48am

I am just launching a Kirby site on our Runcloud hosting - The hosting is setup on a NGINX/Apache2 Hybrid stack (Allows .htaccess to be used).

My Kirby panel warns me my content folder is exposed even though I have all the default Kirby .htaccess settings including RewriteRule ^content/(.*) index.php [L]

Any ideas why this would not be working?

jimbobrjames · November 29, 2023, 1:26pm

Its because everythings in the web root, ie the public or www or whatever your host has called it. If your host allows you to you, you can place those folders outside of the public area which increases security.

See here:

mactedder · November 29, 2023, 1:32pm

I thought the above code should still work though?

mactedder · December 2, 2023, 10:53am

Still looking for a solution to this one. Anyone?

Adspectus · December 2, 2023, 11:34am

How does this look like and where does it come from? I have Apache with a standard Kirby setup and never see such warning. Knowing the source where this warning is triggered might help finding the reason.

texnixe · December 2, 2023, 11:45am

Kirby checks the following urls to determine if any of the folders is exposed.

yourdomain/content/site.txt
yourdomain/kirby/composer.json
yourdomain/.git/config
yourdomain/site/blueprints/site.yml

Please check what responses you get for them. Maybe you have a redirect in place somewhere that causes this, returning a 302 instead of a 404.

mactedder · December 3, 2023, 3:54pm

I can see the site.txt file when I check.

I have the default Kirby .htaccess file and have not changed any settings.

I am not sure why the is is viewable still, and giving me the warning in the panel settings.

Adspectus · December 3, 2023, 4:51pm

Maybe you need to dive deeper into the settings of your provider. Citing their docs:

By using this stack, your static files (eg: css,js,images,fonts) will be served by NGINX. If it is PHP, NGINX will pass it to Apache2 and the request will be passed to PHP-FPM.

For me, this means that requests for static files will not be served by Apache and thus no evaluation of its .htaccess rules. The rules therein will only be taken into account if .php files are requested. However, the sense of Kirby’s .htaccess file is to redirect all requests pertaining to any file in the site, kirby or content folder to the main index.php which serves as a dispatcher.

mactedder · December 3, 2023, 7:01pm

Thanks for the reply. I have just had the same response from Runcloud support.

“it’s because you are on a Hybrid stack in which the static files like TXT, HTML etc are handled by the Nginx and not by the Apache.”

mactedder · December 3, 2023, 8:00pm

I have added a NGINX Config file as follows which seems to have done the trick, but doesnt target the ‘Content’ folder specifically.:

location ~ \.txt$ {
        # Deny access to all .txt files
        deny all;
        return 404;
        }

Is this okay - Does anyone know enough about NGINX for how to be more specific?

Topic		Replies	Views
Nginx Settings to Block Conent/Kirby/Site Folder Kirby 3	2	253	December 2, 2022
Serving static folders (pass through routing) Solved ✅	7	1194	September 3, 2018
Kirby .htaccess on VPS Solved ✅	12	2901	November 23, 2015
Kirby 2.3 show files in my directory? Solved ✅	30	2015	February 10, 2017
Security: Check your RewriteBase settings Articles	14	4622	June 8, 2016

NGINX / Apache2 Hybrid Server - RewriteRule ^content/(.*) index.php [L] Not working

Related Topics