Postleaf can run on Apache, NGINX, Caddy, and any other web server that supports the appropriate rewrites. However, when a sample configuration is missing one can be fooled into thinking they have a working server config for Postleaf when in fact some of the rewrites are missing or erroneous.
We've seen this issue a few times and I think it can be prevented during installation. Below are my thoughts from a private discussion about this elsewhere:
I think we can simply check for a known route after the .htaccess file is written. For example, we can use an existing unprotected route (i.e. a route that doesn't require authentication) and check for a 200 OK response:
If the route returns a 404 Not Found response, we can assume rewrites aren't configured properly.
More extensively, we could test a whole series of routes to ensure they work as expected (e.g. make sure the backups/ directory is inaccessible). But that's the general idea.
This approach should work for non-Apache servers too, since they require preconfig and those redirects need to be in place before the installer even runs.
Generally speaking, I don't think Postleaf should bother too much with server configs, but checking certain routes during installation can prevent buggy installs and potential security risks.
Any additional thoughts on this?
Postleaf can run on Apache, NGINX, Caddy, and any other web server that supports the appropriate rewrites. However, when a sample configuration is missing one can be fooled into thinking they have a working server config for Postleaf when in fact some of the rewrites are missing or erroneous.
We've seen this issue a few times and I think it can be prevented during installation. Below are my thoughts from a private discussion about this elsewhere:
I think we can simply check for a known route after the
.htaccessfile is written. For example, we can use an existing unprotected route (i.e. a route that doesn't require authentication) and check for a200 OKresponse:If the route returns a
404 Not Foundresponse, we can assume rewrites aren't configured properly.More extensively, we could test a whole series of routes to ensure they work as expected (e.g. make sure the
backups/directory is inaccessible). But that's the general idea.This approach should work for non-Apache servers too, since they require preconfig and those redirects need to be in place before the installer even runs.
Generally speaking, I don't think Postleaf should bother too much with server configs, but checking certain routes during installation can prevent buggy installs and potential security risks.
Any additional thoughts on this?