Unsure about advanced /www/admin

Following this tutorial:

I am unsure what the following means:

On a linux box, usually apache is /var/www/html, are you saying that the root directory of the yii application should reside into /var/www/html, so the structure is as follows…




cd /var/www && ls

- html

    - admin

- backend

- common

- console

- environments

- frontend

...



So common, console, enviroments, vagrant, and vendor should not be inside the server directory that is public facing? And I can delete frontend/backend folders after that?

Thanks!

I am assuming you are using the advanced app structure because you have a user facing site which is public as well as an admin section which you use to manage the contents.

So you have a backend/ which is available publicly but protected with some sort login/auth and frontend/ which will also be available publicly but may not be protected by login. you need backend/web to be under /var/www/html as well frontend/web to under /var/www/html in both app/modules there is an entry file index.php which needs to be accessible publicly.

Thank you.

Can you please answer this next question? What is this "vendor" folder suppose to be? Since we are testing our development on an actual server, we want to be able to have total 100% clean merges from development git(Which is actually in Prod mode with Dev modes turned on), with master git(live version).

Im reading online about a lot of gitingores, and what not …

I keep seeing people online say not to source control vendor. I dont see a problem with it personally, you download the vendor files you need and then place them back into the git. Our setup is a bit different, each deployment we wipe the server and do a clean install. Using custom scripts.

vendor folder is your packages directory where composer installs your dependencies the reason why its not ideal to put vendor in your git repo is because it increases the size of your repo and would take longer to checkin and checkout with git. I would read about composer and learn how it works at the basics.

Yea okay. Ill include it into my git because this automatically will deploy on multiple instances for load balancing, and allows us to edit things if we need something more custom.

you don’t need to include the vendor folder in your git repo, just run ‘composer install’ on your machine after you do a git checkout, if you are doing automated deployments on several machine it should not be a problem.

Okay thanks! Only issue is that codedeploy -> ec2 is free of charge, whereas using the nat will cost money! :rolleyes: I will look into it for sure though!

One other question. How do "assets" work? Is there anyway I can generate the required assets only once, and use those each time? Right now I am deploying to the server without any assets so yii generates them each time.

What do you recommend?

I usually use npm and gulp to compile my assets I keep the source in my app/assets/src folder and compile/bundle them in the same directory under app/assets/dist which I add to my yii AppAsset.

yii generates random directories for assets to avoid cache problems, I would recommend if you wanna compile or use some sort build tool put them under app/assets let yii move the files for you don’t put them under web/assets yourself you can do it but I would not recommend it.

Thank you, I didnt understand yii generates random directories to avoid the cache issues. However, how does it know that it already generated these files? Or will it always generate new directories every 24 hours?

One issue I have with this is that I have to allow the user group full access(7) because it needs to run the command:


mkdir

Inside the following diretories:




* frontend/runtime

    - logs

    - cache

    - ...

* frontend/web/assets

    - 98898f

        - ...

* backend/runtime

    - logs

    - cache

    - ...

* backend/web/assets

    - 98898f

        - ...



This is really problematic, and I dont like it at all. Mostly because if someone can make yii/apache preform some server side script or make it run a script from some exploit, they would be able to have full access inside these folders.

I want to change this to be better for security. I dont want yii/apache to have this much permission…

Is there a way to turn off this asset feature? Also, a way to turn off the runtime features?

Where in the code does it generate these assets/runtime? I dont want it to generate assets for me, I want to turn it off and use hard-coded locations because with NGINX I can always give files 1day expires, and I could use cloud-front for all files and it will detect changes for me.

Thanks! Hope there is some solution!

Hello. Not sure if bumps are allowed on this site. Excuse my rudeness.

Do you happen to know someone I can message to get an answer? I much appreciate it.

You need the framework to have these permission. Otherwise is not able to create the assets for instance or if your application allow files upload you can’t move them from tmp dir to web application dir.

Anyway if you have such big security hole that someone can write on the disk this is last of your problem.

To do so they can already can execute arbitrary code so put a file somewhere is just for "comfort".

Thank you. I understand. I am just overly worried!

Cheers.

hello,

you are concerned about security which is a good thing, apache will only execute what you tell it to for example if you point apache to serve one particular directory /var/www/html it will only serve contents from that directory.

I have said this in the first post you can have your framework + app out in the www/app folder and move your web folder in html and point html/index.php to the files in www/app folder.

To answer your question how to remove yii assets go to your layout file, you will see reference to your asset class (AppAsset) remove that and yii will no longer interfere with your assets, as far as runtime goes you need that directory for app to run your app cache is in that folder app log files are also stored in that directory you need to modify the framework to get rid of runtime which I will not recommend.

friendly advise if you need full analysis done on your app security perhaps hire someone with security background for few hours and let him have a look at your code.