You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Postleaf can run on Apache, NGINX, Caddy, and any other web server that supports the appropriate rewrites. However, when a sample configuration is missing one can be fooled into thinking they have a working server config for Postleaf when in fact some of the rewrites are missing or erroneous.
We've seen this issue a fewtimes and I think it can be prevented during installation. Below are my thoughts from a private discussion about this elsewhere:
I think we can simply check for a known route after the .htaccess file is written. For example, we can use an existing unprotected route (i.e. a route that doesn't require authentication) and check for a 200 OK response:
GET /login
If the route returns a 404 Not Found response, we can assume rewrites aren't configured properly.
More extensively, we could test a whole series of routes to ensure they work as expected (e.g. make sure the backups/ directory is inaccessible). But that's the general idea.
This approach should work for non-Apache servers too, since they require preconfig and those redirects need to be in place before the installer even runs.
Generally speaking, I don't think Postleaf should bother too much with server configs, but checking certain routes during installation can prevent buggy installs and potential security risks.
Any additional thoughts on this?
The text was updated successfully, but these errors were encountered:
Postleaf can run on Apache, NGINX, Caddy, and any other web server that supports the appropriate rewrites. However, when a sample configuration is missing one can be fooled into thinking they have a working server config for Postleaf when in fact some of the rewrites are missing or erroneous.
We've seen this issue a few times and I think it can be prevented during installation. Below are my thoughts from a private discussion about this elsewhere:
I think we can simply check for a known route after the
.htaccess
file is written. For example, we can use an existing unprotected route (i.e. a route that doesn't require authentication) and check for a200 OK
response:If the route returns a
404 Not Found
response, we can assume rewrites aren't configured properly.More extensively, we could test a whole series of routes to ensure they work as expected (e.g. make sure the
backups/
directory is inaccessible). But that's the general idea.This approach should work for non-Apache servers too, since they require preconfig and those redirects need to be in place before the installer even runs.
Generally speaking, I don't think Postleaf should bother too much with server configs, but checking certain routes during installation can prevent buggy installs and potential security risks.
Any additional thoughts on this?
The text was updated successfully, but these errors were encountered: