Don't block access to well-known URLs in the nginx config

heroku · Apr 12, 2023 · 93ebb7d · 93ebb7d
1 parent 82615f5
commit 93ebb7d
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 9 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # heroku-buildpack-php CHANGELOG
 
+## v233 (2023-04-??)
+
+### CHG
+
+- Do not block access to /.well-known/ in Nginx config [Christophe Coevoet, David Zuelke]
+
 ## v232 (2023-03-27)
 
 ### ADD

diff --git a/conf/nginx/heroku.conf.php b/conf/nginx/heroku.conf.php
@@ -60,8 +60,10 @@
 
 		include "<?=getenv('HEROKU_PHP_NGINX_CONFIG_INCLUDE')?>";
 
-		# restrict access to hidden files, just in case
-		location ~ /\. {
+		# restrict access to hidden files, just in case, except for the
+		# visible content from within the `/.well-known/` hidden directory.
+		# https://tools.ietf.org/html/rfc5785
+		location ~* /\.(?!well-known\/) {
 			deny all;
 		}
 

diff --git a/test/spec/nginx_spec.rb b/test/spec/nginx_spec.rb
@@ -1,11 +1,8 @@
 require_relative "spec_helper"
 
 describe "A PHP application" do
-	let(:app) {
-		new_app_with_stack_and_platrepo('test/fixtures/default')
-	}
 	it "installs a recent stable nginx with OpenSSL support and expected modules" do
-		app.deploy do |app|
+		new_app_with_stack_and_platrepo('test/fixtures/default').deploy do |app|
 			nginx = app.output.match(/- nginx \((\d+\.\d*[02468]\.\d+)/)
 			expect(nginx).not_to be_nil, "expected nginx install line in build output"
 			expect(Gem::Dependency.new('nginx', '~> 1.14').match?('nginx', nginx[1])).to be == true, "expected nginx version compatible with selector '~> 1.14' but got #{nginx[1]}"
@@ -19,4 +16,20 @@
 			end
 		end
 	end
+	it "allows access to /.well-known/ with Nginx" do
+		new_app_with_stack_and_platrepo('test/fixtures/default').tap do |app|
+			app.before_deploy(:append) do
+				FileUtils.mkdir_p(".well-known/acme")
+				File.open(".well-known/acme/foo", "w+") do |f|
+					f.write 'bar'
+				end
+				File.open("Procfile", "w+") do |f|
+					f.write 'web: heroku-php-nginx'
+				end
+			end
+			app.deploy do |app|
+				expect(successful_body(app, path: '/.well-known/acme/foo')).to eq 'bar'
+			end
+		end
+	end
 end
diff --git a/test/var/log/parallel_runtime_rspec.heroku-18.log b/test/var/log/parallel_runtime_rspec.heroku-18.log
@@ -3,7 +3,7 @@ test/spec/bugs_spec.rb:45.368704143
 test/spec/ci_spec.rb:274.321140925
 test/spec/composer_spec.rb:90.616864848999995
 test/spec/newrelic_spec.rb:86.77255344099999
-test/spec/nginx_spec.rb:20.886132366
+test/spec/nginx_spec.rb:49.700997473
 test/spec/php_7.1-apache2_boot_spec.rb:129.810977812
 test/spec/php_7.1-apache2_concurrency_spec.rb:106.15694684000002
 test/spec/php_7.1_base_spec.rb:32.253990575

diff --git a/test/var/log/parallel_runtime_rspec.heroku-20.log b/test/var/log/parallel_runtime_rspec.heroku-20.log
@@ -3,7 +3,7 @@ test/spec/bugs_spec.rb:30.021669688999992
 test/spec/ci_spec.rb:274.321140925
 test/spec/composer_spec.rb:90.616864848999995
 test/spec/newrelic_spec.rb:86.77255344099999
-test/spec/nginx_spec.rb:20.886132366
+test/spec/nginx_spec.rb:49.700997473
 test/spec/php_7.3-apache2_boot_spec.rb:135.224324281
 test/spec/php_7.3-apache2_concurrency_spec.rb:121.997482515
 test/spec/php_7.3_base_spec.rb:47.707490181000004

diff --git a/test/var/log/parallel_runtime_rspec.heroku-22.log b/test/var/log/parallel_runtime_rspec.heroku-22.log
@@ -3,7 +3,7 @@ test/spec/bugs_spec.rb:30.021669688999992
 test/spec/ci_spec.rb:274.321140925
 test/spec/composer_spec.rb:90.616864848999995
 test/spec/newrelic_spec.rb:86.77255344099999
-test/spec/nginx_spec.rb:20.886132366
+test/spec/nginx_spec.rb:49.700997473
 test/spec/php_8.1-apache2_boot_spec.rb:160.79852702099998
 test/spec/php_8.1-apache2_concurrency_spec.rb:134.627796263
 test/spec/php_8.1_base_spec.rb:210.99503811600005