Yii Framework Forum: Unsure about advanced /www/admin - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Unsure about advanced /www/admin Rate Topic: -----

#1 User is offline   JJBros 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 14
  • Joined: 27-November 17

Posted 28 November 2017 - 11:00 AM

Following this tutorial:
https://github.com/y...ared-hosting.md

I am unsure what the following means:

Quote

Move entry scripts into single webroot

First of all we need a webroot directory. Create a new directory and name it to match your hosting webroot name, e.g., www or public_html or the like. Then create the following structure where www is the hosting webroot directory you just created:

www
admin
backend
common
console
environments
frontend
...
www will be our frontend directory so move the contents of frontend/web into it. Move the contents of backend/web into www/admin. In each case you will need to adjust the paths in index.php and index-test.php.



On a linux box, usually apache is /var/www/html, are you saying that the root directory of the yii application should reside into /var/www/html, so the structure is as follows...

cd /var/www && ls
- html
    - admin
- backend
- common
- console
- environments
- frontend
...


So common, console, enviroments, vagrant, and vendor should not be inside the server directory that is public facing? And I can delete frontend/backend folders after that?

Thanks!
0

#2 User is offline   alrazi 

  • Elite Member
  • Yii
  • Group: Moderators
  • Posts: 1,490
  • Joined: 08-August 12
  • Location:Durban, South Africa

Posted 28 November 2017 - 12:09 PM

I am assuming you are using the advanced app structure because you have a user facing site which is public as well as an admin section which you use to manage the contents.

So you have a backend/ which is available publicly but protected with some sort login/auth and frontend/ which will also be available publicly but may not be protected by login. you need backend/web to be under /var/www/html as well frontend/web to under /var/www/html in both app/modules there is an entry file index.php which needs to be accessible publicly.
0

#3 User is offline   JJBros 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 14
  • Joined: 27-November 17

Posted 28 November 2017 - 01:14 PM

View Postalrazi, on 28 November 2017 - 12:09 PM, said:

I am assuming you are using the advanced app structure because you have a user facing site which is public as well as an admin section which you use to manage the contents.

So you have a backend/ which is available publicly but protected with some sort login/auth and frontend/ which will also be available publicly but may not be protected by login. you need backend/web to be under /var/www/html as well frontend/web to under /var/www/html in both app/modules there is an entry file index.php which needs to be accessible publicly.



Thank you.

Can you please answer this next question? What is this "vendor" folder suppose to be? Since we are testing our development on an actual server, we want to be able to have total 100% clean merges from development git(Which is actually in Prod mode with Dev modes turned on), with master git(live version).

Im reading online about a lot of gitingores, and what not ...

I keep seeing people online say not to source control vendor. I dont see a problem with it personally, you download the vendor files you need and then place them back into the git. Our setup is a bit different, each deployment we wipe the server and do a clean install. Using custom scripts.
0

#4 User is offline   alrazi 

  • Elite Member
  • Yii
  • Group: Moderators
  • Posts: 1,490
  • Joined: 08-August 12
  • Location:Durban, South Africa

Posted 28 November 2017 - 02:11 PM

vendor folder is your packages directory where composer installs your dependencies the reason why its not ideal to put vendor in your git repo is because it increases the size of your repo and would take longer to checkin and checkout with git. I would read about composer and learn how it works at the basics.
0

#5 User is offline   JJBros 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 14
  • Joined: 27-November 17

Posted 28 November 2017 - 02:22 PM

View Postalrazi, on 28 November 2017 - 02:11 PM, said:

vendor folder is your packages directory where composer installs your dependencies the reason why its not ideal to put vendor in your git repo is because it increases the size of your repo and would take longer to checkin and checkout with git. I would read about composer and learn how it works at the basics.


Yea okay. Ill include it into my git because this automatically will deploy on multiple instances for load balancing, and allows us to edit things if we need something more custom.
0

#6 User is offline   alrazi 

  • Elite Member
  • Yii
  • Group: Moderators
  • Posts: 1,490
  • Joined: 08-August 12
  • Location:Durban, South Africa

Posted 28 November 2017 - 11:48 PM

you don't need to include the vendor folder in your git repo, just run 'composer install' on your machine after you do a git checkout, if you are doing automated deployments on several machine it should not be a problem.
0

#7 User is offline   JJBros 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 14
  • Joined: 27-November 17

Posted 29 November 2017 - 05:30 PM

View Postalrazi, on 28 November 2017 - 11:48 PM, said:

you don't need to include the vendor folder in your git repo, just run 'composer install' on your machine after you do a git checkout, if you are doing automated deployments on several machine it should be a problem.


Okay thanks! Only issue is that codedeploy -> ec2 is free of charge, whereas using the nat will cost money! :rolleyes: I will look into it for sure though!

One other question. How do "assets" work? Is there anyway I can generate the required assets only once, and use those each time? Right now I am deploying to the server without any assets so yii generates them each time.

What do you recommend?
0

#8 User is offline   alrazi 

  • Elite Member
  • Yii
  • Group: Moderators
  • Posts: 1,490
  • Joined: 08-August 12
  • Location:Durban, South Africa

Posted 30 November 2017 - 01:55 AM

I usually use npm and gulp to compile my assets I keep the source in my app/assets/src folder and compile/bundle them in the same directory under app/assets/dist which I add to my yii AppAsset.

yii generates random directories for assets to avoid cache problems, I would recommend if you wanna compile or use some sort build tool put them under app/assets let yii move the files for you don't put them under web/assets yourself you can do it but I would not recommend it.
0

#9 User is offline   JJBros 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 14
  • Joined: 27-November 17

Posted 30 November 2017 - 10:18 AM

View Postalrazi, on 30 November 2017 - 01:55 AM, said:

I usually use npm and gulp to compile my assets I keep the source in my app/assets/src folder and compile/bundle them in the same directory under app/assets/dist which I add to my yii AppAsset.

yii generates random directories for assets to avoid cache problems, I would recommend if you wanna compile or use some sort build tool put them under app/assets let yii move the files for you don't put them under web/assets yourself you can do it but I would not recommend it.


Thank you, I didnt understand yii generates random directories to avoid the cache issues. However, how does it know that it already generated these files? Or will it always generate new directories every 24 hours?

One issue I have with this is that I have to allow the user group full access(7) because it needs to run the command:
mkdir


Inside the following diretories:
* frontend/runtime
    - logs
    - cache
    - ...
* frontend/web/assets
    - 98898f
        - ...
* backend/runtime
    - logs
    - cache
    - ...
* backend/web/assets
    - 98898f
        - ...


This is really problematic, and I dont like it at all. Mostly because if someone can make yii/apache preform some server side script or make it run a script from some exploit, they would be able to have full access inside these folders.

I want to change this to be better for security. I dont want yii/apache to have this much permission...

Is there a way to turn off this asset feature? Also, a way to turn off the runtime features?

Where in the code does it generate these assets/runtime? I dont want it to generate assets for me, I want to turn it off and use hard-coded locations because with NGINX I can always give files 1day expires, and I could use cloud-front for all files and it will detect changes for me.

Thanks! Hope there is some solution!
0

#10 User is offline   JJBros 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 14
  • Joined: 27-November 17

Posted 04 December 2017 - 10:31 PM

Hello. Not sure if bumps are allowed on this site. Excuse my rudeness.

Do you happen to know someone I can message to get an answer? I much appreciate it.
0

#11 User is offline   Roberto Braga 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 194
  • Joined: 18-February 13
  • Location:Roma, Italy

Posted 07 December 2017 - 12:27 AM

You need the framework to have these permission. Otherwise is not able to create the assets for instance or if your application allow files upload you can't move them from tmp dir to web application dir.
Anyway if you have such big security hole that someone can write on the disk this is last of your problem.
To do so they can already can execute arbitrary code so put a file somewhere is just for "comfort".
0

#12 User is offline   JJBros 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 14
  • Joined: 27-November 17

Posted 09 December 2017 - 12:13 AM

Thank you. I understand. I am just overly worried!

Cheers.
0

#13 User is offline   alrazi 

  • Elite Member
  • Yii
  • Group: Moderators
  • Posts: 1,490
  • Joined: 08-August 12
  • Location:Durban, South Africa

Posted 09 December 2017 - 07:25 AM

hello,

you are concerned about security which is a good thing, apache will only execute what you tell it to for example if you point apache to serve one particular directory /var/www/html it will only serve contents from that directory.

I have said this in the first post you can have your framework + app out in the www/app folder and move your web folder in html and point html/index.php to the files in www/app folder.

To answer your question how to remove yii assets go to your layout file, you will see reference to your asset class (AppAsset) remove that and yii will no longer interfere with your assets, as far as runtime goes you need that directory for app to run your app cache is in that folder app log files are also stored in that directory you need to modify the framework to get rid of runtime which I will not recommend.

friendly advise if you need full analysis done on your app security perhaps hire someone with security background for few hours and let him have a look at your code.
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users