Skip to content

feat: disable the setup route by default for nginx #39228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: 2.4-develop
Choose a base branch
from
Open

feat: disable the setup route by default for nginx #39228

wants to merge 4 commits into from

Conversation

SamJUK
Copy link

@SamJUK SamJUK commented Sep 30, 2024

Description (*)

Add access control to the /setup/ route within the default nginx configuration.
With a default of deny all.

Fixed Issues (if relevant)

  1. Closes: Magento Version exposure via Setup route with default Nginx Configuration #39227

Manual testing scenarios (*)

Test on BOTH a new uninstantiated instance, as well as a preinstalled instance.

  1. Navigate to /setup/ expect to see a 403/401 error
  2. Add your IP Address to the nginx config & reload
  3. Navigate to /setup/ expect to see the setup page.

Questions or comments

Happy for this to be closed another way (eg removal of the route all together).

Contribution checklist (*)

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages
  • All new or changed code is covered with unit/integration tests (if applicable)
  • README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
  • All automated tests passed successfully (all builds are green)

@m2-assistant M2 Assistant
Copy link

m2-assistant bot commented Sep 30, 2024

Hi @SamJUK. Thank you for your contribution!
Here are some useful tips on how you can test your changes using Magento test environment.
❗ Automated tests can be triggered manually with an appropriate comment:

  • @magento run all tests - run or re-run all required tests against the PR changes
  • @magento run <test-build(s)> - run or re-run specific test build(s)
    For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names.

Allowed build names are:
  1. Database Compare
  2. Functional Tests CE
  3. Functional Tests EE
  4. Functional Tests B2B
  5. Integration Tests
  6. Magento Health Index
  7. Sample Data Tests CE
  8. Sample Data Tests EE
  9. Sample Data Tests B2B
  10. Static Tests
  11. Unit Tests
  12. WebAPI Tests
  13. Semantic Version Checker

You can find more information about the builds here
ℹ️ Run only required test builds during development. Run all test builds before sending your pull request for review.

For more details, review the Code Contributions documentation.
Join Magento Community Engineering Slack and ask your questions in #github channel.

@engcom-Hotel engcom-Hotel added the Priority: P2 A defect with this priority could have functionality issues which are not to expectations. label Oct 1, 2024
@SamJUK
Copy link
Author

SamJUK commented Oct 11, 2024

@magento run all tests

@engcom-Charlie engcom-Charlie added the Project: Community Picked PRs upvoted by the community label May 13, 2025
@engcom-Charlie engcom-Charlie moved this to Pending Review in Community Dashboard May 13, 2025
@engcom-Hotel
Copy link
Contributor

@magento run all tests

@engcom-Hotel engcom-Hotel moved this from Pending Review to Review in Progress in Community Dashboard May 14, 2025
@engcom-Hotel engcom-Hotel self-requested a review May 14, 2025 04:46
engcom-Hotel
engcom-Hotel requested changes May 14, 2025
View reviewed changes
Copy link
Contributor

@engcom-Hotel engcom-Hotel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @SamJUK,

Thank you for your contribution!

The changes look good for Nginx users. However, I have noticed that this issue is also reproducible for Apache users. For consistency, could we also address this issue for Apache users?

Although there is no sample file for Apache as there is for Nginx, could we consider providing a fix or suggestion for Apache users when creating a virtual host for their Magento instance?

Thank you.

@SamJUK
Copy link
Author

SamJUK commented May 14, 2025

@engcom-Hotel

I am not overly familiar with Apache, but I've pushed a change to the setup/.htaccess file. Which aligns with how the access control is implemented for the app / var folders, and should cover Apache on default installs.

@engcom-Hotel
Copy link
Contributor

@magento run all tests

@ct-prd-projects-boards-automation ct-prd-projects-boards-automation bot moved this from Review in Progress to Ready for Testing in Community Dashboard May 15, 2025
@engcom-Bravo engcom-Bravo moved this from Ready for Testing to Testing in Progress in Community Dashboard May 16, 2025
@engcom-Bravo
Copy link
Contributor

Hi @SamJUK,

Thanks for the collaboration & contribution!

✔️ QA Passed

Preconditions:

  • Install fresh Magento 2.4-develop

Steps to reproduce

Navigate to https://site.com/setup/

Before: ✖️ 

Screenshot 2025-05-16 at 2 29 25 pm

After: ✔️

Screenshot 2025-05-16 at 3 17 22 pm

Builds are failed. Hence, moving this PR to Extended Testing.

Thanks.

@engcom-Bravo engcom-Bravo moved this from Testing in Progress to Extended testing (optional) in Community Dashboard May 19, 2025
@engcom-Dash
Copy link
Contributor

@magento run all tests

@engcom-Dash
Copy link
Contributor

@magento run all tests

@engcom-Dash
Copy link
Contributor

@magento run Functional Tests B2B, Functional Tests CE, Functional Tests EE

@engcom-Dash engcom-Dash self-assigned this May 19, 2025
@engcom-Dash
Copy link
Contributor

One of the consistent test failure for Functional B2B is known Issues and JIRA is raised for them. Other failures are inconsistent and seems to be flaky. They neither part of PR nor failing because of the PR changes.

Build 1: https://public-results-storage-prod.magento-testing-service.engineering/reports/magento/magento2/pull/39228/8b57a632dc6d5a15bc9b938495750d18/Functional/allure-report-b2b/index.html#categories/8fb3a91ba5aaf9de24cc8a92edc82b5d

image

Build 2: https://public-results-storage-prod.magento-testing-service.engineering/reports/magento/magento2/pull/39228/31ea62ca34431ab1a47457dc1efe3f00/Functional/allure-report-b2b/index.html#categories/8fb3a91ba5aaf9de24cc8a92edc82b5d

image

Known Issue : StoreFrontSimpleProductWithSpecialAndTierDiscountPriceTest ACQE-7971

Consistent test failure for Functional CE is known Issues and JIRA is raised for them.

Build 1: https://public-results-storage-prod.magento-testing-service.engineering/reports/magento/magento2/pull/39228/ec3ab5e68893b3dcd944ee063acf24e0/Functional/allure-report-ce/index.html#categories/1ebe0280aba7ee40465acd3f13b81139/6274427d1be0a9f1/

image

Build 2: https://public-results-storage-prod.magento-testing-service.engineering/reports/magento/magento2/pull/39228/0d1d32a59b49011bd15aeafe3e541c92/Functional/allure-report-ce/index.html#categories/1ebe0280aba7ee40465acd3f13b81139/829832ca4fd9c463/

image

Known Issue: StorefrontEnsureThatAccordionAnchorIsVisibleOnViewportOnceClickedTest ACQE-7683

Failures in Functional EE are inconsistent and seems to be flaky. They neither part of PR nor failing because of the PR changes.

Build 1: https://public-results-storage-prod.magento-testing-service.engineering/reports/magento/magento2/pull/39228/d7b2797e97996e82c4635c3ab31a465c/Functional/allure-report-ee/index.html#categories/2fc037f47773dd7551f2e766bbf34efa/d5d6bbf6037cf326/

image

Build 2: https://public-results-storage-prod.magento-testing-service.engineering/reports/magento/magento2/pull/39228/045b291bde6acf3e98bc7faa72841dbb/Functional/allure-report-ee/index.html#categories/8fb3a91ba5aaf9de24cc8a92edc82b5d

image

Hence moving this PR to Merge In Progress.

@engcom-Dash engcom-Dash moved this from Extended testing (optional) to Merge in Progress in Community Dashboard May 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@engcom-Hotel engcom-Hotel engcom-Hotel approved these changes

Assignees

@engcom-Dash engcom-Dash

Labels
Priority: P2 A defect with this priority could have functionality issues which are not to expectations. Progress: ready for testing Project: Community Picked PRs upvoted by the community
Projects
Community Dashboard
Status: Merge in Progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Magento Version exposure via Setup route with default Nginx Configuration
5 participants
@SamJUK @engcom-Hotel @engcom-Bravo @engcom-Dash @engcom-Charlie