-
Notifications
You must be signed in to change notification settings - Fork 137
Secure the database
Arjen van Bochoven edited this page Dec 4, 2015
·
3 revisions
If you're running Munkireport with a MySQL backend, you can stop reading. If you're using SQLite, read on.
Munkireport ships with an .htaccess file that should protect the app directory on an Apache web server. It also contains a web.config file that should do the same on an IIS web server. But webservers are complex beasts and global configurations may interfere with the security settings. And if your'e using nginx you don't have any out-of-the-box protection at all.
First check if the database is exposed to the world by trying to download it with a browser: https://yourserver.fqdn/app/db/db.sqlite
If you can download the file, your data is publicly available which is a Bad Thing™.
- Deny reading of app directory. You need to add rules to your web server configuration that denies a client to request files in the app directory.
- Move the database directory out of the webroot. Move the directory to a safe place and adjust
config.phpso munkireport uses the new location (e.g.$conf['pdo_dsn'] = 'sqlite:/var/munkireport/db/db.sqlite';) . The correct place to put the database directory depends on your server.
- General Upgrade Procedures
- How to Upgrade Versions
- Troubleshooting Upgrades
- Migrating sqlite to MySQL