Rename project to UploadShield: update runtime, configs, docs, and provisioning; run lint/tests
This commit is contained in:
@@ -1,6 +1,6 @@
|
||||
# Installation & Production Deployment Guide
|
||||
|
||||
This guide shows a minimal, secure installation and rollout path for UploadShield's primary script (`upload-logger.php`).
|
||||
This guide shows a minimal, secure installation and rollout path for UploadShield's primary script (`uploadshield.php`).
|
||||
Follow these steps in a staging environment first; do not enable blocking until detectors are tuned.
|
||||
|
||||
**Prerequisites**
|
||||
@@ -9,9 +9,9 @@ Follow these steps in a staging environment first; do not enable blocking until
|
||||
- SSH/privileged access to configure the site pool and run provisioning scripts.
|
||||
|
||||
**Quick overview**
|
||||
1. Place `upload-logger.php` in a secure per-site folder (recommended `.security`).
|
||||
1. Place `uploadshield.php` in a secure per-site folder (recommended `.security`).
|
||||
2. Create `logs/`, `quarantine/`, `state/` and set strict ownership and permissions.
|
||||
3. Configure `upload-logger.json` for your environment; keep `ops.block_suspicious` off for initial tuning.
|
||||
3. Configure `uploadshield.json` for your environment; keep `ops.block_suspicious` off for initial tuning.
|
||||
4. Enable `auto_prepend_file` in the site PHP-FPM pool to run the logger before application code.
|
||||
5. Verify logging, tune detectors, deploy log rotation, and enable alerting.
|
||||
|
||||
@@ -31,7 +31,7 @@ vendor/bin/phpstan analyse -c phpstan.neon
|
||||
```
|
||||
|
||||
**2. Recommended file layout (per-site)**
|
||||
Use a hidden per-site security folder so `upload-logger.php` is not web-accessible.
|
||||
Use a hidden per-site security folder so `uploadshield.php` is not web-accessible.
|
||||
|
||||
Example layout:
|
||||
|
||||
@@ -41,16 +41,16 @@ Example layout:
|
||||
├── app/
|
||||
├── uploads/
|
||||
├── .security/
|
||||
│ ├── upload-logger.php
|
||||
│ ├── uploadshield.php
|
||||
│ └── logs/
|
||||
│ └── uploads.log
|
||||
├── quarantine/
|
||||
└── state/
|
||||
```
|
||||
Place `uploadshield.php` into `.security/uploadshield.php`.
|
||||
|
||||
**3. Copy files & configure**
|
||||
- Place `upload-logger.php` into `.security/upload-logger.php`.
|
||||
- Copy `upload-logger.json` from the repository to the same directory and edit paths to absolute values, e.g.:
|
||||
- Place `uploadshield.php` into `.security/uploadshield.php`.
|
||||
- Copy `uploadshield.json` from the repository to the same directory and edit paths to absolute values, e.g.:
|
||||
- `paths.log_file` → `/var/www/sites/example-site/.security/logs/uploads.log`
|
||||
- `paths.quarantine_dir` → `/var/www/sites/example-site/quarantine`
|
||||
- `paths.state_dir` → `/var/www/sites/example-site/state`
|
||||
@@ -81,14 +81,14 @@ chmod 0640 /var/www/sites/example-site/.security/logs/uploads.log
|
||||
|
||||
Alternatively use the included provisioning scripts on the host:
|
||||
- `scripts/provision_dirs.sh` — run as root; idempotent and attempts to set SELinux fcontext.
|
||||
- `scripts/ansible/upload-logger-provision.yml` — Ansible playbook for bulk provisioning.
|
||||
- `scripts/ansible/uploadshield-provision.yml` — Ansible playbook for bulk provisioning.
|
||||
|
||||
**5. PHP‑FPM configuration (per-site pool)**
|
||||
Edit the site's FPM pool (example: `/etc/php/8.1/fpm/pool.d/example-site.conf`) and add:
|
||||
|
||||
php_admin_value[auto_prepend_file] = /var/www/sites/example-site/.security/uploadshield.php
|
||||
```ini
|
||||
; Ensure upload-logger runs before application code
|
||||
php_admin_value[auto_prepend_file] = /var/www/sites/example-site/.security/upload-logger.php
|
||||
; Ensure uploadshield runs before application code
|
||||
php_admin_value[auto_prepend_file] = /var/www/sites/example-site/.security/uploadshield.php
|
||||
```
|
||||
|
||||
Then reload PHP-FPM:
|
||||
@@ -98,11 +98,11 @@ sudo systemctl reload php8.1-fpm
|
||||
```
|
||||
|
||||
Notes:
|
||||
- Use the absolute path to `upload-logger.php`.
|
||||
- Use the absolute path to `uploadshield.php`.
|
||||
- If your host uses a shared PHP-FPM pool, consider enabling per-vhost `auto_prepend_file` via nginx/apache or create a dedicated pool for the site.
|
||||
|
||||
**6. Log rotation**
|
||||
Create `/etc/logrotate.d/upload-logger` with content adapted to your paths:
|
||||
Create `/etc/logrotate.d/uploadshield` with content adapted to your paths:
|
||||
|
||||
```
|
||||
/var/www/sites/example-site/.security/logs/uploads.log {
|
||||
@@ -129,10 +129,10 @@ Create `/etc/logrotate.d/upload-logger` with content adapted to your paths:
|
||||
- Upload a file containing `<?php` to confirm detectors log `suspicious_upload` entries.
|
||||
- Check `logs/uploads.log` for events.
|
||||
|
||||
Example quick test (on host):
|
||||
php -S 127.0.0.1:8000 -t . -d auto_prepend_file=/var/www/sites/example-site/.security/uploadshield.php
|
||||
```bash
|
||||
# from site root
|
||||
php -S 127.0.0.1:8000 -t . -d auto_prepend_file=/var/www/sites/example-site/.security/upload-logger.php
|
||||
php -S 127.0.0.1:8000 -t . -d auto_prepend_file=/var/www/sites/example-site/.security/uploadshield.php
|
||||
# then curl a file POST to your test endpoint
|
||||
curl -F "file=@/path/to/sample.txt" http://127.0.0.1:8000/upload_test.php
|
||||
```
|
||||
@@ -146,7 +146,7 @@ curl -F "file=@/path/to/sample.txt" http://127.0.0.1:8000/upload_test.php
|
||||
|
||||
**9. Gradual enable blocking**
|
||||
- After tuning, enable blocking in a controlled manner:
|
||||
1. Set `ops.block_suspicious` → `true` in `upload-logger.json` on a small subset of sites or a canary host.
|
||||
1. Set `ops.block_suspicious` → `true` in `uploadshield.json` on a small subset of sites or a canary host.
|
||||
2. Monitor errors, rollback quickly if issues appear.
|
||||
3. Gradually roll out to remaining hosts.
|
||||
|
||||
@@ -159,17 +159,17 @@ curl -F "file=@/path/to/sample.txt" http://127.0.0.1:8000/upload_test.php
|
||||
- Ensure `quarantine/` and `.security/logs` are not accessible from the web server.
|
||||
- Verify SELinux/AppArmor contexts after running provisioning.
|
||||
- Ensure owner/group are set to root and web group (e.g., `root:www-data`) and modes match the guide.
|
||||
- Keep `upload-logger.php` readable by root (644) and the logs readable only by the intended group (640).
|
||||
Keep `uploadshield.php` readable by root (644) and the logs readable only by the intended group (640).
|
||||
|
||||
**Rollback**
|
||||
- Disable `php_admin_value[auto_prepend_file]` in the pool and reload PHP-FPM.
|
||||
- Remove or rotate the `upload-logger` files if needed.
|
||||
- Remove or rotate the `uploadshield` files if needed.
|
||||
|
||||
**Further reading & files**
|
||||
- Integration notes: [INTEGRATION.md](INTEGRATION.md)
|
||||
- Provisioning script: `scripts/provision_dirs.sh`
|
||||
- Ansible playbook: `scripts/ansible/upload-logger-provision.yml`
|
||||
- Example configuration: `upload-logger.json`
|
||||
- Ansible playbook: `scripts/ansible/uploadshield-provision.yml`
|
||||
- Example configuration: `uploadshield.json`
|
||||
|
||||
---
|
||||
If you want, I can: (a) generate a site-specific copy of these snippets for your exact paths/PHP version, (b) open a PR with the updated documentation, or (c) produce a one-command installer playbook that runs the provisioning and copies files to a remote host. Tell me which option you prefer.
|
||||
|
||||
Reference in New Issue
Block a user