Avoid blocking well-known URLs in the Apache config

heroku · Apr 12, 2023 · cf309bb · cf309bb
1 parent 93ebb7d
commit cf309bb
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 ### CHG
 
 - Do not block access to /.well-known/ in Nginx config [Christophe Coevoet, David Zuelke]
+- Do not block access to /.well-known/ in Apache HTTPD config [Christophe Coevoet, David Zuelke]
 
 ## v232 (2023-03-27)
 

diff --git a/conf/apache2/heroku.conf b/conf/apache2/heroku.conf
@@ -29,7 +29,7 @@ Listen ${PORT}
 		# lock it down fully by default
 		# if it's also the docroot, it'll be opened up again further below
 		Require all denied
-		<FilesMatch "^(\.|composer\.(json|lock|phar)$|Procfile$)">
+		<FilesMatch "^(\.(?!well-known\/)|composer\.(json|lock|phar)$|Procfile$)">
 			# explicitly deny these again, merged with the docroot later
 			Require all denied
 		</FilesMatch>

diff --git a/test/spec/httpd_spec.rb b/test/spec/httpd_spec.rb
@@ -0,0 +1,20 @@
+require_relative "spec_helper"
+
+describe "A PHP application" do
+	it "allows access to /.well-known/ with Apache HTTPD" do
+		new_app_with_stack_and_platrepo('test/fixtures/default').tap do |app|
+			app.before_deploy(:append) do
+				FileUtils.mkdir_p(".well-known/acme")
+				File.open(".well-known/acme/foo", "w+") do |f|
+					f.write 'bar'
+				end
+				File.open("Procfile", "w+") do |f|
+					f.write 'web: heroku-php-apache2'
+				end
+			end
+			app.deploy do |app|
+				expect(successful_body(app, path: '/.well-known/acme/foo')).to eq 'bar'
+			end
+		end
+	end
+end
diff --git a/test/var/log/parallel_runtime_rspec.heroku-18.log b/test/var/log/parallel_runtime_rspec.heroku-18.log
@@ -2,6 +2,7 @@ test/spec/blackfire_spec.rb:239.20765019800092
 test/spec/bugs_spec.rb:45.368704143
 test/spec/ci_spec.rb:274.321140925
 test/spec/composer_spec.rb:90.616864848999995
+test/spec/httpd_spec.rb:18.68997263999998
 test/spec/newrelic_spec.rb:86.77255344099999
 test/spec/nginx_spec.rb:49.700997473
 test/spec/php_7.1-apache2_boot_spec.rb:129.810977812

diff --git a/test/var/log/parallel_runtime_rspec.heroku-20.log b/test/var/log/parallel_runtime_rspec.heroku-20.log
@@ -2,6 +2,7 @@ test/spec/blackfire_spec.rb:239.20765019800092
 test/spec/bugs_spec.rb:30.021669688999992
 test/spec/ci_spec.rb:274.321140925
 test/spec/composer_spec.rb:90.616864848999995
+test/spec/httpd_spec.rb:18.68997263999998
 test/spec/newrelic_spec.rb:86.77255344099999
 test/spec/nginx_spec.rb:49.700997473
 test/spec/php_7.3-apache2_boot_spec.rb:135.224324281

diff --git a/test/var/log/parallel_runtime_rspec.heroku-22.log b/test/var/log/parallel_runtime_rspec.heroku-22.log
@@ -2,6 +2,7 @@ test/spec/blackfire_spec.rb:239.20765019800092
 test/spec/bugs_spec.rb:30.021669688999992
 test/spec/ci_spec.rb:274.321140925
 test/spec/composer_spec.rb:90.616864848999995
+test/spec/httpd_spec.rb:18.68997263999998
 test/spec/newrelic_spec.rb:86.77255344099999
 test/spec/nginx_spec.rb:49.700997473
 test/spec/php_8.1-apache2_boot_spec.rb:160.79852702099998
-Original file line number
+Diff line change
@@ Expand Up / @@ -5,6 +5,7 @@ @@
     ### CHG
     - Do not block access to /.well-known/ in Nginx config [Christophe Coevoet, David Zuelke]
+    - Do not block access to /.well-known/ in Apache HTTPD config [Christophe Coevoet, David Zuelke]
     ## v232 (2023-03-27)
@@ Expand Down @@