@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Restore the "alternate file domain" setup warning and provide CDN instructions

Summary:
Fixes T2380. Fixes T2382. Users should really configure this, but when we had a warning before a lot of users had trouble with it.

- Tout performance benefits.
- Document easy setup via CDN.
- We have an "Ignore" button now for users who really don't care.

Test Plan:
- Set up `admin.phacility.com` through AWS CloudFront (need a few changes to handle instances to put it on the cluster in general).
- Set up `secure.phabricator.com` through CloudFlare (almost; waiting for DNS).

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: chad, epriestley

Maniphest Tasks: T2382, T2380

Differential Revision: https://secure.phabricator.com/D11649

+148 -19
+25
src/applications/config/check/PhabricatorSecuritySetupCheck.php
··· 45 45 ->setMessage($message); 46 46 } 47 47 48 + $file_key = 'security.alternate-file-domain'; 49 + $file_domain = PhabricatorEnv::getEnvConfig($file_key); 50 + if (!$file_domain) { 51 + $doc_href = PhabricatorEnv::getDocLink('Configuring a File Domain'); 52 + 53 + $this->newIssue('security.'.$file_key) 54 + ->setName(pht('Alternate File Domain Not Configured')) 55 + ->setSummary( 56 + pht( 57 + 'Increase security (and improve performance) by configuring '. 58 + 'a CDN or alternate file domain.')) 59 + ->setMessage( 60 + pht( 61 + 'Phabricator is currently configured to serve user uploads '. 62 + 'directly from the same domain as other content. This is a '. 63 + 'security risk.'. 64 + "\n\n". 65 + 'Configure a CDN (or alternate file domain) to eliminate this '. 66 + 'risk. Using a CDN will also improve performance. See the '. 67 + 'guide below for instructions.')) 68 + ->addPhabricatorConfig($file_key) 69 + ->addLink( 70 + $doc_href, 71 + pht('Configuration Guide: Configuring a File Domain')); 72 + } 48 73 } 49 74 }
+13 -19
src/applications/config/option/PhabricatorSecurityConfigOptions.php
··· 18 18 public function getOptions() { 19 19 $support_href = PhabricatorEnv::getDoclink('Give Feedback! Get Support!'); 20 20 21 + $doc_href = PhabricatorEnv::getDoclink('Configuring a File Domain'); 22 + $doc_name = pht('Configuration Guide: Configuring a File Domain'); 23 + 21 24 return array( 22 25 $this->newOption('security.alternate-file-domain', 'string', null) 23 26 ->setLocked(true) 24 27 ->setSummary(pht('Alternate domain to serve files from.')) 25 28 ->setDescription( 26 29 pht( 27 - "IMPORTANT: By default, Phabricator serves files from the same ". 28 - "domain the application lives on. This is convenient but not ". 29 - "secure: it creates a large class of vulnerabilities which can ". 30 - "not be generally mitigated.\n\n". 31 - 32 - "To avoid this, you should configure a second domain in the same ". 33 - "way you have the primary domain configured (i.e., point it at ". 34 - "the same machine and set up the same vhost rules) and provide ". 35 - "it here. For instance, if your primary install is on ". 36 - "'http://www.phabricator-example.com/', you could configure ". 37 - "'http://www.phabricator-files.com/' and specify the entire ". 38 - "domain (with protocol) here. This will enforce that files are ". 39 - "served only from the alternate domain. Ideally, you should use ". 40 - "a completely separate domain name rather than just a different ". 41 - "subdomain.\n\n". 42 - 43 - "It is **STRONGLY RECOMMENDED** that you configure this. Your ". 44 - "install is **NOT SECURE** unless you do so.")) 45 - ->addExample('http://www.phabricator-files.com/', pht('Valid Setting')), 30 + 'By default, Phabricator serves files from the same domain '. 31 + 'the application is served from. This is convenient, but '. 32 + 'presents a security risk.'. 33 + "\n\n". 34 + 'You should configure a CDN or alternate file domain to mitigate '. 35 + 'this risk. Configuring a CDN will also improve performance. See '. 36 + '[[ %s | %s ]] for instructions.', 37 + $doc_href, 38 + $doc_name)) 39 + ->addExample('https://files.phabcdn.net/', pht('Valid Setting')), 46 40 $this->newOption( 47 41 'security.hmac-key', 48 42 'string',
+2
src/docs/user/configuration/configuration_guide.diviner
··· 193 193 @{article:Configuring Accounts and Registration}; or 194 194 - understanding advanced configuration topics with 195 195 @{article:Configuration User Guide: Advanced Configuration}; or 196 + - configuring an alternate file domain with 197 + @{article:Configuring a File Domain}; or 196 198 - configuring a preamble script to set up the environment properly behind a 197 199 load balancer, or adjust rate limiting with 198 200 @{article:Configuring a Preamble Script}; or
+108
src/docs/user/configuration/configuring_file_domain.diviner
··· 1 + @title Configuring a File Domain 2 + @group config 3 + 4 + Setup guide for an alternate file domain or CDN. 5 + 6 + Overview 7 + ======== 8 + 9 + Serving files that users upload from the same domain that Phabricator runs on 10 + is a security risk. 11 + 12 + In general, doing this creates a risk that users who have permission to upload 13 + files may be able to upload specially crafted files (like Flash or Java 14 + applets) which can execute with domain permissions in some contexts (usually 15 + because of security issues with Flash and Java, but both products have a rich 16 + history of security issues). The attacker can then trick another user into 17 + executing the file and gain access to their session. 18 + 19 + The best way to mitigate this threat is to serve files from a separate domain. 20 + For example, if Phabricator is hosted at `https://phabricator.example.com/`, 21 + you can serve files from `https://files.exampleusercontent.com/`. 22 + 23 + The alternate file domain should be a completely different domain from your 24 + primary domain, not just a different subdomain. For example, Google uses 25 + `googleusercontent.com`, //not// `usercontent.google.com`. 26 + 27 + You can also configure the alternate file domain to serve through a CDN, which 28 + will improve performance. 29 + 30 + Approaches 31 + ========= 32 + 33 + Broadly, you can either choose a CDN service and configure that (which will 34 + also defuse the security risks) or you can configure a second domain with the 35 + same settings as your first domain. A CDN service may be easier to set up and 36 + can improve performance. 37 + 38 + | Method | Setup Difficulty | Cost | Notes | 39 + |---|---|---|---| 40 + | AWS CloudFront | Very Easy | Cheap | Recommended | 41 + | CloudFlare | Easy | Free/Cheap | Recommended | 42 + | Self Hosted | Moderate | Free | No CDN unless you're an ops wizard. | 43 + 44 + Approach: AWS CloudFront 45 + ======== 46 + 47 + CloudFront is a CDN service that's part of Amazon Web Services. It makes 48 + particular sense to use if you're hosting your install in AWS. 49 + 50 + To configure it, set up a new CloudFront distribution which is pointed at 51 + your Phabricator install as an origin (make sure you point it at the primary 52 + domain name of your install, not just a load balancer or instance). You do not 53 + need to set up a new domain name, which makes setup a bit more straightforward. 54 + 55 + Once configured, accessing the distribution's domain name should return a 56 + Phabricator error page indicating that Phabricator does not recognize the 57 + domain. If you see this page, it means you've configured things correctly. 58 + 59 + Continue to "Configuring Phabricator", below. 60 + 61 + Approach: CloudFlare 62 + ======== 63 + 64 + [[ https://cloudflare.net | CloudFlare ]] is a general-purpose CDN service. 65 + 66 + To set up CloudFlare, you'll need to register a second domain and go through 67 + their enrollment process to host the alternate domain on their servers. Use a 68 + CNAME record to forward a subdomain to your Phabricator install. 69 + 70 + CloudFlare will automatically generate SSL certificates for hosted domains, 71 + which can significantly reduce the cost and complexity of setup. 72 + 73 + Once configured, accessing the CNAME-forwarded subdomain should return a 74 + Phabricator error page indicating that Phabricator does not recognize the 75 + domain. If you see this page, it means you've configured things correctly. 76 + 77 + Continue to "Configuring Phabricator", below. 78 + 79 + Approach: Self Hosted 80 + ======== 81 + 82 + To do this, just set up a second domain exactly like your primary domain is 83 + set up. When setup is complete, visiting the domain should return a Phabricator 84 + error page indicating that Phabricator does not recognize the domain. This 85 + means that you've configured things correctly. 86 + 87 + Note that if you use SSL (which you should), you'll also need to get a 88 + certificate for this alternate domain and configure that, too. 89 + 90 + You can also configure a self-hosted domain to route through a caching server 91 + to provide some of the performance benefits of a CDN, but this is advanced and 92 + outside the scope of this documentation. 93 + 94 + Continue to "Configuring Phabricator", below. 95 + 96 + Configuring Phabricator 97 + ======== 98 + 99 + After you've set up a CDN or an alternate domain, configure Phabricator to 100 + recognize the domain. Run this command, providing the domain you have 101 + configured in place of the `<domain>` token. You should include the protocol, 102 + so an example domain might be `https://cdn.phabcdn.net/`. 103 + 104 + phabricator/ $ ./bin/config set security.alternate-file-domain <domain> 105 + 106 + Phabricator should now serve CSS, JS, images, profile pictures, and user 107 + content through the file domain. You can verify this with "View Source" or 108 + by downloading a file and checking the URL.