Unit: Restrict access to hidden files and have PHP process files directly

[jpangborn]

Updating the routing in the Unit configuration to accomplish a couple of things:

The following routes step restricts access to hidden files and folders (start with .)

{
    "match": {
        "uri": [
             "/.*",
            "/.*/",
            "/.*/*",
            "/*/.*",
            "/*/.*/",
            "/*/.*/*"
        ]
    },
    "action": {
        "return": 404
    }
},

The following section allows the processing of PHP files requested directly. See #11 for more details. The issue with PHP files being downloaded instead of processed was due to the share entry in the action. The share entry will download the file if there is a match and pass the URI to the application handler only if the file doesn't exist. Removing the share entry and moving the pass entry out of fallback allows the PHP file to be processed directly.

{
    "match": {
        "uri": [
            "/*.php",
            "/*/*.php"
        ]
    },
    "action": {
        "pass": "applications/php/direct"
    }
},

[jaydrogers]

I am very grateful for your contributions! Thanks for taking a swing at this for me since I am still very new to Unit.

I did pull your changes down and I ran into this error after building your image locally.

Error

php-1  | 
php-1  | --------------------------------------------------------------------
php-1  |  ____                             ____  _     _        _   _
php-1  | / ___|  ___ _ ____   _____ _ __  / ___|(_) __| | ___  | | | |_ __
php-1  | \___ \ / _ \  __\ \ / / _ \  __| \___ \| |/ _` |/ _ \ | | | |  _ \
php-1  |  ___) |  __/ |   \ V /  __/ |     ___) | | (_| |  __/ | |_| | |_) |
php-1  | |____/ \___|_|    \_/ \___|_|    |____/|_|\__,_|\___|  \___/| .__/
php-1  |                                                             |_|
php-1  | 
php-1  | Brought to you by serversideup.net
php-1  | --------------------------------------------------------------------
php-1  | 
php-1  | 🙌 To support Server Side Up projects visit:
php-1  | https://serversideup.net/sponsor
php-1  | 
php-1  | -------------------------------------
php-1  | ℹ️ Container Information
php-1  | -------------------------------------
php-1  | 
php-1  | OS:            Debian GNU/Linux 12 (bookworm)
php-1  | Docker user:   www-data
php-1  | Docker uid:    33
php-1  | Docker gid:    33
php-1  | OPcache:       ❌ Disabled
php-1  | 
php-1  | 👉 [NOTICE]: Improve PHP performance by setting PHP_OPCACHE_ENABLE=1 (recommended for production).
php-1  | init-unit: Processing /etc/unit/config.d/ssl-off.json.template → /etc/unit/config.d/config.json...
php-1  | init-unit: Launching Unit daemon to perform initial configuration...
php-1  | 2024/10/15 18:54:53 [warn] 28#28 Unit is running unprivileged, then it cannot use arbitrary user and group.
php-1  | 2024/10/15 18:54:53 [info] 28#28 unit 1.33.0 started
php-1  | 2024/10/15 18:54:53 [info] 31#31 discovery started
php-1  | 2024/10/15 18:54:53 [notice] 31#31 module: php 8.3.11 "/usr/lib/unit/modules/php.unit.so"
php-1  | 2024/10/15 18:54:53 [info] 29#29 controller started
php-1  | 2024/10/15 18:54:53 [notice] 29#29 process 31 exited with code 0
php-1  | 2024/10/15 18:54:53 [info] 34#34 router started
php-1  | 2024/10/15 18:54:53 [info] 34#34 OpenSSL 3.0.14 4 Jun 2024, 300000e0
php-1  | {
php-1  |        "certificates": {},
php-1  |        "js_modules": {},
php-1  |        "config": {
php-1  |                "listeners": {},
php-1  |                "routes": [],
php-1  |                "applications": {}
php-1  |        },
php-1  | 
php-1  |        "status": {
php-1  |                "modules": {
php-1  |                        "php": {
php-1  |                                "version": "8.3.11",
php-1  |                                "lib": "/usr/lib/unit/modules/php.unit.so"
php-1  |                        }
php-1  |                },
php-1  | 
php-1  |                "connections": {
php-1  |                        "accepted": 0,
php-1  |                        "active": 0,
php-1  |                        "idle": 0,
php-1  |                        "closed": 0
php-1  |                },
php-1  | 
php-1  |                "requests": {
php-1  |                        "total": 0
php-1  |                },
php-1  | 
php-1  |                "applications": {}
php-1  |        }
php-1  | }
php-1  | init-unit: Looking for certificate bundles in /etc/unit/config.d...
php-1  | init-unit: Looking for JavaScript modules in /etc/unit/config.d...
php-1  | init-unit: Looking for configuration snippets in /etc/unit/config.d...
php-1  | init-unit: Applying configuration /etc/unit/config.d/config.json
php-1  | 🛑 ERROR: HTTP response status code is '400'
php-1  | {
php-1  |        "error": "Invalid JSON.",
php-1  |        "detail": "Either a closing brace (}) or a comma (,) is expected here.  Each JSON object must be enclosed in braces and its members must be separated by commas.",
php-1  |        "location": {
php-1  |                "offset": 2471,
php-1  |                "line": 95,
php-1  |                "column": 13
php-1  |        }
php-1  | }

Steps to reproduce

Build your image using the scripts/dev.sh:

bash scripts/dev.sh --version 8.3.11 --variation unit --os bookworm

Bring up this example app under this specific branch: https://github.com/jaydrogers/docker-php-test-app/tree/458-unit-testing.

It looks like it could be a simple syntax error, but I have been heads down on getting v3.4 out. I might bump these updates to v3.5 if we can get a solid way Unit config rolling.

[jpangborn]

Missing common. The build script completes successfully now.

[jaydrogers]

Thank you! This should be made available with v3.4! I will get a beta2 built and published soon.