PHP Classes

How to Improve the Security of a Web Application Using a Nginx PHP Front Controller Design Pattern Implementation

Recommend this page to a friend!
  Blog PHP Classes blog   RSS 1.0 feed RSS 2.0 feed   Blog How to Improve the Se...   Post a comment Post a comment   See comments See comments (0)   Trackbacks (0)  

Author:

Viewers: 589

Last month viewers: 3

Categories: PHP Tutorials, PHP Security

The front controller is a popular design pattern used by many PHP applications to handle all the HTTP requests sent to a Web application.

Read this article to learn how to implement this design pattern with PHP using the Nginx Web server to prevent security attacks.




Loaded Article

In this article you will learn:

What is the Front Controller Design Pattern

How to Implement a Front Controller with PHP and Nginx

How a Malicious Attack Happens

How to Prevent this Type of Attack

Where Can You Learn More About the Front Controller Design Pattern


Introduction

In this article, I will explain to you how to improve a Web application security with Front Controller Design Pattern that implemented on many PHP Frameworks like Yii2, Laravel, Symfony, CakePHP, Zend Framework etc.

What is the Front Controller Design Pattern

A front controller a piece of code that will handle all the requests for a Web application. A front controller may be implemented as an Object (Java) or using a scripting language (PHP, Ruby, Python) that is called on every request of Web session.

For example, a script like "index.php" can be an entry point of of the code that handles every HTTP request. It handles all the requests of applications that use frameworks like in Yii2 "web/index.php" or Laravel "public/index.php".

How to Implement a Front Controller with PHP and Nginx

In most of the applications, we can configure Nginx and PHP with following Nginx configuration lines to invoke PHP:

location ~ \.php$ {
 ...
}

Using the above configuration, Nginx passes every request with a URL that ends with "*.php" to the PHP interpreter to process PHP request.

How a Malicious Attack Happens

Lets suppose you have a web application to allow users to upload some files. Now if you missed or forgot to use code to implement strict validation rules, a malicious user could potentially upload a file like shell.php (containing some vulnerability character) on the server.

Now malicious user open the file using below URL on server:

http://[host]/files/shell.php

As per above Nginx configuration, "shell.php" runs and a malicious attack can be performed on your Web application.

How to Prevent this Type of Attack

If you are familiar with Yii or Laravel, you might be know application life-cycle start with "index.php" that is entry point of frameworks. This is where a Web application instance is created and processes every request.

So, on each request, that "index.php" is executed by the application, Nginx configuration should be like the following:

location = /index.php {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_pass 127.0.0.1:9000;
try_files $uri =404;
}
location ~ \.php$ {
# prevent exposure of any other .php files!!!
return 404;
}

Here, when any malicious user can try to run any "*.php" file directly, Ngnix returns 404 Not Found HTTP status, thus preventing this kind of malicious attacks.

Where Can You Learn More About the Front Controller Design Pattern

You can learn more about the front controller design pattern in the respective Wikipedia page or read useful tutorials like the one in this page.

If you would like to tell other things about the implementing the front controller design pattern in PHP applications, can you please post a comment by scrolling below and type your comments to share your point of view?




You need to be a registered user or login to post a comment

Login Immediately with your account on:



Comments:

No comments were submitted yet.



  Blog PHP Classes blog   RSS 1.0 feed RSS 2.0 feed   Blog How to Improve the Se...   Post a comment Post a comment   See comments See comments (0)   Trackbacks (0)